1. Overview of the LGPD
The Brazilian General Data Protection Law (“LGPD”) regulates the processing of personal data in public and private sectors materializing the consolidation of the legal disposition on the matter of Privacy and Data Protection. It structure and content reflect are the reflection of a Brazilian law inspired in the international guidelines, especially in those provided by the European Union’s General Data Protection Regulation (“GDPR”), which entered into force on May 25, 2018.
1.1. Scope of application
The LGPD applies to any individual or legal entity governed by public or private law, that processes personal data (such as collection, production, reception, classification, processing, etc.) in the Brazilian territory, in case: (i) the processing has as purpose the offer or supply of goods or services; (ii) the processed personal data is from individuals that are located in the Brazilian territory; or (iii) the processed personal data has been collected in the Brazilian territory. In this regard, it is noticeable that the terms of the application of the law are indeed close to those provided for in the GDPR.
The LGPD is not applicable, however, in cases which the processing of personal data is made:
(i) by a natural person for exclusively private and non-economic purposes;
(ii) exclusively for journalistic, artistic and academic purposes;
(iii) by Public Authorities, in the hypotheses of use for the promotion of public security, national defense, State security or activities of investigation and prosecution of criminal offenses; or
(iv) when the data has their origin outside the national territory and are not the object of communication, shared use of data with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin (as long as the country of origin provides a level of personal data protection adequate to that established in the LGPD)
1.2. Main Concepts and Subjects
For the purposes of LGPD, “personal data” is the information related to an identified or identifiable natural person. Within this set, “sensitive personal data”, in turn, consists of a specific category of personal information that requires a greater degree of legal protection in the face of the discriminatory potential that may arise from its processing. This category consists of personal data on racial or ethnic origin, religious belief, public opinion, affiliation to union or religious, philosophical or political organization, data relating to the health or sex life, and genetic or biometric data, whenever related to a natural person. In this scenario, while personal data is that which can identify or lead to the identification of someone, the sensitive data, in addition to identifying an individual, is capable of promoting discrimination upon him/her. Please note that processing with personal data that reveals sensitive data is also subject to special protection under the law.
It is important, however, that in this dynamic of personal data processing there are three fundamental actors: the data subject and the processing agents (controller and processor).
· Data Subject: a natural person to whom the personal data that are the object of processing refer to.
· Controller: natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data.
· Processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller;
2. Legal Bases for the Processing of Personal Data
In order to ensure that the processing of personal data will be valid and lawful, the LGPD provides a list of hypotheses in which these operations may occur. These legal conditions, better known as “Legal Bases”, cover different possible scenarios for legitimizing processing operations. Therefore, it is necessary that there is an evaluation by the processing agents to identify the most relevant legal basis for each of their operations, weighing, in this process, factors such as the degree of security of the legal basis against future questioning, the set of accessory measures that it requires, among other issues.
In this sense, according to article 7 of the LGPD, personal data can only be processed:
1. With the consent of the data subject;
2. In order to meet the legitimate interests of the controller or third party;
3. In order to comply with statutory or regulatory obligations by the controller;
4. For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party;
5. During the regular exercise of rights in judicial, administrative or arbitral procedures;
6. For credit protection purposes;
7. For the protection of the life or physical safety of the data subject or third party;
8. For health protection (only by health professionals, health services or health authorities);
9. For carrying out studies by research entities; and
10. For the execution of public policies (only by the Public Administration).
In addition, the personal data processing will be considered irregular when it does not comply with the legislation (i.e. if led outside of the framework of the authorizations above mentioned above) or when it does not provide the security that the data subject can expect, considering: (i) the way in which the processing is carried out; (ii) the result and the risks that are reasonably expected from it; and (iii) the techniques for processing personal data available at the time it was performed.
Once the processing operation is no longer able to fit into any of the legal bases provided for by law, the controller must ensure the end of processing, which will occur when: (i) the processing period ends; (ii) there is a manifestation by the data subject requesting the end of processing; (iii) there is a legal determination in this regard; or (iv) it is verified that the purpose that justified the processing has been achieved, or that the personal data collected has lost its relevance for the intended purpose.
Consent is the hypothesis of direct authorization for the processing of personal data by the data subjects. This legal basis is a form of expression of the data subject’s manifestation of will by which he/she agrees with the processing operations for the determined purposes presented to him/her.
The consent is only valid, by law, if it be expressed in a (i) free, (ii) informed and (iii) unequivocal manner, either in writing or by any other means that certifies it. In this respect:
(i) Free: data subject must be free to choose whether or not he/she agrees with the processing of his/her data for a specific purpose, which will be assessed in light of the specific context under which the data subject is inserted in relation to the controller;
(ii) Informed: data subject must have easy access to all relevant information about the processing of his/her data, and the controller must present (clearly, appropriately and ostensibly) information on: (a) the specific purpose of the operation, (b) how and for how long the data will be processed, (c) who are the processing agents involved and (d) with whom they will share this data, among other issues.
(iii) Unequivocal: controller must proactively minimize the chances of the data subject having doubts about the processing of his/her data, which is done through the adoption of techniques such as the usage of simple and direct language and in the data subject’s language.
In this regard, all the purposes of the processing must be informed in a clear, detailed and separate way, leaving to the controller the burden of proving that it has adopted the necessary tools and strategies to ensure that the consent was given in accordance with the law (though it is not necessary to gather any evidence of the data subjects’ effective understanding of the information on which their consent was based). Thus, if the information provided to the data subject has misleading or abusive content or has not been previously presented in a clear and unambiguous manner, the given consent will be considered null, not authorizing, therefore, the processing of personal data.
It is important to mention that the data subject has the right to revoke the consent at any time, upon express manifestation and through a free and facilitated procedure. In this scenario, the controller must terminate any processing operation that was exclusively based on the consent of the data subject. Note that even if it is not possible to continue collecting personal data without the consent or other legal bases that might authorize it, the usage of the data prior to the revocation remains valid, and its storage is possible only in the event that the data subject does not also require the elimination of data when revoking his/her consent.
In addition, if there is any change in the processing of personal data that is not compatible with the original consent, whether in relation to the purpose of the operation with personal data, its form and duration or about the controller and the sharing of this personal information, the controller must inform the data subject, highlighting specifically the content of the changes so that he/she able to revoke his/her consent previously granted if he/she disagrees with the change.
2.1.1. Particular cases
The LGPD established specific cases in which the consent will demand greater caution with regard to its obtention, and it is necessary, therefore, that in addition to being free, informed and unequivocal, it must be expressed in a specific and highlighted way in relation to other operations. These additional conditions will be necessary in the event that consent is required for the purpose of processing (i) sensitive personal data; or (ii) children’s data; or, to (iii) authorize the international transfer of personal data.
Regarding the processing of children’s personal data, some peculiarities are present as these operations should be performed in the best interest of the child. For this reason, the specific and highlighted consent is not only the unique legal basis applicable for these operations as it is also necessary to be provided by at least one of the child’s legal guardians.
In this scenario, the controller must also keep public information about the types of data collected, as well as the form of their use and the exercise of the rights that the LGPD confers on the data subject. The law also imposes on controllers the duty to require only the minimum necessary information for the participation of children in games, internet applications and other activities.
2.2. Legitimate Interest
The legal basis of the controller’s legitimate interest will apply in the context in which it is necessary to justify the processing of personal data for legitimate purposes related to its activity. This assessment, however, depends on a balance between the necessity for the controller and the existence of fundamental rights and freedoms of the data subject that require the protection of personal data. In this regard, if these fundamental guarantees prevail, it will not be possible to adopt the “legitimate interest” as a legal basis.
In this evaluation, the LGPD also establishes a list of purposes that could justify the legitimate interest of the controller, being necessary to associate them with the analysis of the specific case. They are: (i) the support and promotion of the controller’s activities; (ii) the protection in relation to the data subject of the regular exercise of his/her rights; and (iii) the provision of services that benefit the data subject, provided that their legitimate expectations are respected. In the event of the processing of personal data based on the legitimate interest of the controller, only the strictly necessary data may be used (with respect to the principle of minimization).
Although limited by the barriers mentioned above, the legal basis of legitimate interest does in fact give greater amplitude to the authorization of different processing operations. For this reason, even though it is necessary for the controller to keep a record of its operations as a whole, this requirement is even more essential for those activities grounded on legitimate interest. It is even possible that the Brazilian Data Protection Authority (ANPD) requires the presentation of a report on the impact of personal data protection in the context of these operations.
Additionally, it is important to mention that the use of the concept of legitimate interest as a legal basis for the processing of personal data is done in a residual way. In this process, it is first assessed to what extent other specific legal bases could support the legitimacy of the operation. If it is not the case, and in fact the use of “legitimate interest” is demanded, it is necessary to verify (i) the extent to which data are processed by legitimate means (in order to support and promote the activity of the controller, but still in benefit of the data subject), and (ii) whether the processing is in accordance with the legitimate expectations of the data subjects (considering their fundamental rights and freedoms in the course of the operation).
2.3. Compliance with Statutory or Regulatory Obligation
The processing of personal data will also be authorized when necessary for the controller to comply with its statutory or regulatory obligations under the Brazilian legal system. It is worth noting that specific activities are endowed with broad normative sets issued by the competent public authorities (such as the Federal Securities Commission – CVM -, the Brazilian Central Bank -BACEN-, or the Consumer Protection Agency – PROCON) further regulating the set of obligations inherent to these fields, which is present, for example in labor, consumer relations, the financial market, or insurance areas.
This legal basis provides greater security for the legitimacy of processing operations since it does not involve the need for prior consent from the data subject (which may or may not be given, as in cases based on consent), or an assessment of the viability of its application (as in the case of weighing the applicability of the legitimate interest). In this way, the greatest clarity and certainty for grounding a data operation in a legitimate way will in fact come in the face of the existence of a legal or regulatory obligation that requires the data processing.
2.4. Execution of a Contract or Preliminary Procedures
In order to operationalize the processing operations (especially access and sharing) of personal data contained or that may appear in private contracts, the LGPD also stipulated the possibility of legal authorization for the processing of data when this activity is necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party. In this scenario, once it is verified that personal data is instrumentally necessary for the execution of a contract or for the execution of its terms, the controller will in fact be authorized to proceed with the referred operation.
To illustrate this scenario, it is possible to consider the use of personal data for the qualification of parties (individuals) in contracts of which they will be part. In addition, from the perspective of contracts already signed, it is possible that the use of personal data is necessary for the execution of the object of the contract, as through the validation of a certain documentation from the signature of a data subject who has been contracted for supervision industry, a function that requires sharing this personal data in various company documents. Regardless of the scenario, to the extent that the data processing is necessary for the execution or formation of a contract of which the data subject is or will be part, the LGPD does in fact provide authorization for the continuation of this operation.
2.5. Regular Exercise of Rights in Procedures
In consonance with the goal of assessing not only the data subjects’ interests, but also those of the data controllers, the LGPD presents a specific scenario in the procedural field which can be upheld as a legal authorization for the processing of personal data. Accordingly, the data processing operation will be legitimate to the extent that it is necessary to ensure the regular exercise of rights in judicial, administrative or arbitration procedures.
Even though this legal basis can ground any operation with the processing of personal data, its most recurrent application lays under the scope of operations regarding the access, sharing and storage of personal data that are set forth to meet the formalities inherent to specific proceedings, which might take place within processes that might be either potential or already in progress (such as addressing any out-of-court notification). When it comes to potential lawsuits, it will be possible, therefore, that a data controller stores his/her client’s personal data (even after the end of their legal relationship) to the extent that such information might be relevant to the development of his eventual legal defense, which is plausible considering that such client might end up in count against him.
It should be noted, however, that this storage operation will not be legitimate if it is upheld for an indefinite period. It is necessary, therefore, to comply with the limitation period for the eventual filing of a judicial, administrative or arbitration lawsuit against the controller. Upon the recognition that after this period there will no longer be possible to file any lawsuit, the legal basis in question loses its foundation from this moment onwards.
2.6. Protection of Credit
The processing of personal data will also be legitimate when necessary for credit protection, which must be done considering the nature of the public interest that surrounds to the credit system. Under such scenario, this legal basis is strongly used not only by specialized bureaus for assessing credit risks, but it will also be fundamental and strategic for processing agents who come across matrices for assessing the risk of their credit operations, which is relevant in the context of banks or insurance agencies, for instance.
2.7. Protection of Life or of the Physical Safety
With a direct focus on the legal good of life, the LGPD presents as a specific authorization for the processing of personal data in any operation that is performed with the intention of enabling the controller to be able to promote the protection of the life or physical security of the data subject or other third parties. In many cases, it is likely that the processing of data for this purpose inevitably involves the processing of sensitive personal data (such as data relating to the data subjects’ health conditions), which is why this legal basis is also applicable for the operations that take place with this special category of data.
In the midst of the COVID-19 pandemic, for example, the legal basis in question has been used with greater recurrence to the extent that different actors from civil society begin to implement strategies set out to combat the coronavirus in their private environments (such as in corporate buildings, industries or commercial establishments). In this scenario, the collection of medical information from data subjects who walk by these environments is seen as a relevant tool for mapping those individuals who may be potential transmitters of the virus, which is done, therefore, in order to limit the proliferation of the disease. Thus, the collection of personal data (sensitive and non-sensitive) in the scope of the adoption of security sanitary measures is indeed relevant for the protection of life and physical safety of third parties who may come around a certain environment, which grants this processing operation legitimacy under the LGPD.
It is worth mentioning that the principles of transparency and necessity must still be observed as a framework that sets the limits for the usage of this data in a way that no unnecessary or abusive collection of personal data arises under the mantle set by the premise of protection of life. It is important, therefore, that only the processing of the minimum necessary personal data is carried out for the pursuit of the mentioned purposes.
2.8. Protection of Health
Following the same rationale as the one set forth in legal basis of data processing for the protection of life or physical safety, the LGPD broadens the scope of this guarantee by establishing that the any operation with personal data that is necessary for the protection of health will, as a whole, be considered legitimate. There is, however, a restriction on which processing agents can evoke this legal basis as grounds for authorizing their activities. It is established in the law, therefore, that this hypothesis will be applicable, exclusively, in operations set forth by (i) health professionals, (ii) health services or (iii) health authorities.
Upon the restriction on which agents can make use of this legal basis, it is clear that the main controllers in this context are indeed hospitals, health plans and other professionals in the health sector. Additionally, just like the legal basis used in the scope of life protection or physical safety, health protection activities might demand the processing of sensitive personal data (in this case, those related to the health conditions of the data subjects), which is why this legal basis also it is applicable for operations involving this special category of data.
Note, however, that the scope of operations with such medical data encounters a series of limitations prescribed in the LGPD, which narrows down what that can be done with this information even under the light of the necessity principle. In this regard, communication or shared use of health sensitive personal data between controllers is forbidden whenever set forth with the objective of obtaining an economic advantage, except it is done so in the operations related to the provision of health services, pharmaceutical assistance and health assistance (including auxiliary diagnostic and therapy services), provided that they performed are in the interests of the data subjects. In addition, the operators of private health care plans are prohibited to process health data for the practice of risk selection under whichever modality of contracting, which must be also avoided for the decision of contracting or excluding beneficiaries.
2.9. Conducting Studies by Research Entities
The processing of personal data will also be authorized when necessary for conducting out studies, provided they are carried out by official research entities. In this respect, the LGPD aims to protect the country’s scientific production, making it necessary, however, for the research body to be framed within the legal definition of such and limit its operations to research activities only.
Regarding the data collected, it is important to reiterate that not only should the agency limit itself to collecting the minimum necessary for the pursuit of the research’s purpose, but it should also, whenever possible, promote the anonymization of the personal data collected (that is, ensure the data’s effective depersonalization considering the use of the reasonable technical means available at the time of the processing). Thus, as far as the identification of the data subjects who participate in the research is not necessary, it is recommended by law that the data collection itself be done anonymously from its origin, in a way that the research is developed working with analysis of the results concerning different groups instead of focusing on certain specific data subjects.
2.10. Execution of Public Policies
The processing of personal data finds in the LGPD a final hypothesis of legal authorization, which will only be applicable to operations carried out by the public administration with the purpose of sharing and using the necessary information for the execution of public policies (provided in laws or regulations, or based on contracts, agreements or similar instruments ). The public administration, as a processing agent, is also obliged to comply with the principles and guarantees set forth in the LGPD, thereby needing to limit its operations with personal data to the fulfilment its public purpose and to the pursuit of the public interest, in order to carry out its legal competences or to fulfill the legal attributions of the public service.
Additionally, even though the personal data processed by the Public Administration is subject to the regulation of the LGPD, there are some rules that differentiate its rights and obligations as a data controller from those of private entities. For example, the consent of the data subject is not required for the design and implementation of public policies, while it is required in other scenarios. In addition, in the case of public security, national defense, state security and investigative activities and prosecution of criminal offenses and activities of investigation and prosecution of criminal offense, personal data will be processed according to a specific legislation that will still be enacted.
2.11. Particularities of the Sensitive Personal Data
In accordance with the presented above, the sensitive personal data are classified as a special category of personal data that requires a higher level of protection by the LGPD. For that reason, some of the legal bases presented above will not be applicable for the processing of such data:
(i) Processing with means to meet the legitimate interests of the controller or third party;
(ii) Processing for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party; and
(iii) Processing for credit protection purposes.
In contrast, the legal bases applicable for both the processing of personal data and sensitive personal data are in the light of the LGPD are those in which the processing is necessary:
(i) In order to comply with statutory or regulatory obligations by the controller
(ii) For the protection of the life or physical safety of the data subject or third party;
(iii) For health protection (only by health professionals, health services or health authorities);
(iv)For carrying out studies by research entities; and
(v) For the execution of public policies (only by the Public Administration)
Under this scenario, some legal bases already set forth for the processing of personal data have been complemented in order to increase their level of protection and, thus, be also fit for the processing of sensitive data:
(i) Consent, which must be not only free, informed and unambiguous, but also specific and highlighted; and
(ii) The regular exercise of rights in judicial, administrative or arbitral procedures, for the processing of sensitive personal data, includes the possibility of regular exercise of rights in contracts as well, which is analogous to the legal basis for the execution of contracts (excluding, however, the authorization for the processing of data for under preliminary contract procedures related to the contract).
Finally, sensitive personal data can be processed on the basis of an eighth and final legal authorization, which is presented as a replacement for the possibility of processing under the grounds of credit protection and under the legitimate interest of the controller.
In this way, the processing operation will be legitimate when necessary to ensure the prevention of fraud and the safety of the data subject, in processes of identification and authentication of registration in electronic systems, which is possible as long as guaranteed easy access to information about the operation. Note that the same process of weighing interests at stake set forth to evaluate the applicability of the legitimate interest will be needed for the authorization in analysis, in a way that this legal basis will not be applicable in case the fundamental rights and liberties of the data subject which require personal data protection prevail.
3. Remarks on the effectiveness of the LGPD
After some back and forth, the Brazilian normative scenario faced relevant legislative developments throughout the year of 2020 regarding the effectiveness of LGPD and the definition of the structure and regulatory framework of the National Data Protection Authority. In this normative scenario, regardless of the constant revision of the matter in the National Congress with the assessment of Provisional Measures and Draft Laws on the issue, the LGPD’s Substantive Provisions finally entered into force on September 17th (while the effectiveness of its Penalty Provisions were delayed to August 1st, 2021).
It should be noted that while the aforementioned “Substantive Provisions” concern among others, issues on the data processing principles, lawful bases for the processing of personal data, and data subject rights, the “Penalty Provisions” are limited to those in connection to the administrative penalties set forth in the LGPD (that is, the fines and other penalties for the breach of the LGPD that the ANPD may apply in the administrative sphere, such as blocking of personal data, the temporary suspension or the prohibition of personal data processing activities).
In any case, even with the LGPD fully into force, it should be noted that the Brazilian data protection regulation is still under construction insofar as further details are still pending the ANPD’s regulation for the LGPD to become fully operational (thus mitigating the doubts that arise from the implementation of its provisions on the market’s daily activities). As a result, with the Authority currently structured and operational, it should be noted that it has stepped up in this discussion honoring its regulating attributions not only by issuing Guidelines on most pressing matters (on the scope and structure of data breach notifications, for instance), but also by collecting civil contributions for its upcoming regulation of unclear issues set forth on the LGPD.
For its future regulation, pursuant to the ANPD’s Regulatory Agenda for the 2021-2022 biennium, the Authority shall regulate matters related, for example, to the administrative proceedings for the applicability of the LGPD’s Penalty Provisions; to specific proceedings and warranties for the data and privacy protection on small and medium-sized companies and startups; to the Data Protection Officer’s activities; to the international transfer of personal data; among others.
In the meantime, however, regardless of the ANPD’s pending regulation and the only recent entry into force of the LGPD’s Substantive and Penalty Provisions, it should be noted that the LGPD’s incidence and application are already consolidated as a reality in the Brazilian legal practice. The Public Prosecution, for example, has already actively investigated and prosecuted data breaches involving the leakage of personal data, which were done based on its constitutional authority to petition collective actions in defense of the collective and diffuse interests, especially when the breach involves consumers.
Nowadays, up to the submission of this material (that is, with the LGPD into effect for less than a year), a significant number of enforcement cases has already risen in the Brazilian Courts. While the ANPD has not yet sanctioned data processing agents, the consumer authorities, in both federal and state levels, are enforcing the LGPD starting administrative investigations and imposing sanctions with such legal grounds. In this context, the current Brazilian privacy litigation indicates some important trends, being the main issues disputed in the court cases in connection to the form with which the data subjects’ consent is collected, the use of personal public data and the liability of controllers and processors due to data breaches.
With this scenario in perspective, it is clear that the Brazilian data protection regulation is still being developed in the normative and judicial levels, as it tends to be further specified in the upcoming years both by the ANPD and by the Courts that shall interpret the LGPD norm on upcoming cases. While current doubts and uncertainties should to be addressed in the future, the LGPD is already established in the Brazilian Jurisdiction as the normative framework that has brought forth more legal certainty in connection with the sparse data protection regulation in the country, which is why the standards and provisions currently in effect should be pursued for the definition of commercial strategies not only as good business practice but also as a measure of greater security for the company in Brazil.
Authors: Marcela Waksman Ejnisman, Maria Eugênia Geve M. Lacerda e Miguel Lima Carneiro
Borges Lagoa Street, 1328 – Vila Mariana – 04038-004 – São Paulo – SP
Tel: (11) 5086-5000
E-mail: [email protected]
APPLICATION OF BRAZILIAN DATA PROTECTION LAW TO THE INSURANCE MARKET
Law No. 13.709/2018, known as General Data Protection Law (LGPD), was created and approved for the purpose of protecting the rights of personality, regulating the processing of personal data, protecting the intimacy and freedom of persons and regulating the safekeeping, use, transfer, processing and sale of third-party data. The enactment of that law followed the international trends, since approximately 120 countries already had a regulation of this matter, and it was mainly inspired in the European regulation.
In short, it is possible to say that the Brazilian LGPD aims at harmonizing the fundamental right to privacy and intimacy protection with the public interest and the use and development of technology applied to the information age. Before the LGPD was enacted, the right to privacy and intimacy was already guaranteed by the Brazilian Federal Constitution, which clearly established that those rights should prevail over any public interests, by providing on restrictions to the access to certain personal information, such as, but not limited to, financial information, correspondences, telephone conversations (article 5, X, XII). In addition, the Federal Constitution protects the intimacy and privacy, even if indirectly, by expressly providing on the right to consultation and rectification of public personal data or personal data registered in databanks of government institutions (article 5, LXXII and XXXIII).
However, the enactment of the LGPD was necessary to grant more legal certainty to personal data, as an informational expression of the privacy and intimacy of the individuals, and to specifically regulate the actions relating to the processing thereof, granting responsibilities to the subjects encompassed by it, from the collection to the storage and use of data, based on the principles of purpose, adequacy, transparency and non-discrimination. All this due to the broad dissemination of information, especially by digital means, as well as to the growing trend towards the robbery of data, which is more and more facilitated by the technology improvement, and use of these data for unlawful purposes.
2. General Aspects of the LGDP
The purpose of the LGPD is to protect personal data of identified or identifiable individuals, governing the processing thereof, including in digital means, by individuals or legal entities governed by public or private law.
The law creates subjects, rights and duties of the persons involved in the processing of information of the subject (owner of the data), controller (person who makes the decisions relating to data processing), processor (person who processes the data), person in charge (person who acts as a communication channel), national authority (monitors application of the law) and national board (persons who create technical guidelines, reports, studies, opinions).
Based on the legal definitions, as provided in article 5 of the LGPD, the subjects of the personal data subject to protection are those individuals to whom the processed data refers, and therefore legal entities are not included as personal data subjects. Processing is understood as any operation with data, involving the collection, receipt, classification, use, access, processing, storage, reproduction, disclosure, alteration, communication, among others. It is an overly broad concept and contemplates digital and non-digital means.
With respect to the data protection obligations, we note that the law differentiates and classifies the subjects addressed by it, according to their responsibilities and duties. Among the subjects expressly contemplated by the law, in addition to the data subjects, we have: processing agents, person in charge, Brazilian Data Protection Authority and research bodies. The processing agents are individuals or legal entities that process data pursuant to the provisions of law, and they are subdivided into controller, which is in charge of the decisions relating to data processing; and processor, which processes data in the name of the controller.
The person in charge is the individual designated by the controller, who acts in the communication between the controller and the data subject, as well as with the Brazilian Data Protection Authority (ANPD), which is the body in charge of providing, inspecting and implementing compliance with the LGPD in the Brazilian territory. The research body, in turn, is an entity of the direct or indirect public administration, or also a not-for-profit legal entity, the purpose of which includes historical, scientific, technological or statistical basic or applied research.
With respect to the applicability and extent of the LGPD, it shall be applicable and enforceable with respect to the personal data processing carried out in Brazil, to those designed for the offer of goods and services to individuals in the Brazilian territory, and to data collected in Brazil, even if they are processed abroad. Please note that it neither applies to data processing by individuals, provided such processing is made for domestic use and has no economic purpose, nor to data processed for purely journalistic, artistic, academic, public security or investigation purposes. In addition, anonymized data are not deemed personal data protected by the LGPD, and they shall be understood as data that belong to unidentifiable individuals, i.e., data whose data subjects cannot be identified.
Finally, we note that the General Data Protection Law requires the consent of data subjects for the processing of their personal data. Such consent shall be freely pronounced by the data subject, in the form expressly provided in article 8, except with respect to data that have been disclosed by the data subjects themselves. The consent is waived whenever the processing is essential for compliance with a statutory or regulatory obligation by the controller; processing of data required for the execution of public policies; conduction of studies by research bodies; regular exercise of rights; protection of the life of third parties; protection of the health by professionals of the industry or sanitary authority; guarantee of prevention of fraud and of the safety of the data subject in identification and authentication processes in electronic systems, as provided in article 11.
3. The LGPD in the Insurance Line of Business
The insurance market plays a very relevant role in the economy, and it is essential for the economic development of any region in the world, guaranteeing the performance of civil construction, private retirement plan, supplementary health, bank financing, capitalization, civil liability, environmental liability, reinsurance, mass insurance (cars, real estate, telephony, retail) agreements, among many others. Therefore, the LGPD will directly affect the insurance market, and the companies that operate in this market should invest in an adjustment to the new legislation.
The Brazilian insurance market is regulated by the SUSEP (Private Insurance Superintendence), the purpose of which is to authorize, control and inspect the agents that operate in this market. With respect to insurance contracts, the storage of information for regulated activities remains governed by the SUSEP, in accordance with the basic rules of the industry.
The LGPD directly affects the insurance market, considering that the companies that operate in the insurance market deal with personal data of the insureds (individuals) for many purposes, and they shall adjust to the new legislation to process said data, in accordance with the provisions of the LGPD. These data are extremely important for the insurance companies to prospect new clients, analyze the market for the creation of products, devise growth and expansion strategies and engage in corporate actions to maintain their financial health and operability in Brazil.
In addition to the corporate issues, which are common to all companies, the insurance companies also use their personal database to improve the assessment of risk and pricing of their products, i.e., they use the personal data obtained for the offer of services, for economic purposes, subject to the obligations set forth in the LGPD. Until enactment of the new law, the sharing of information among companies operating in this line of business was somehow permitted to allow the operability of their business, which requires consultation to the database.
However, upon enactment of the new law, this practice will be prohibited, except as expressly authorized by their individual clients. In addition, all companies shall designate a professional to act as a communication channel among the public, the institution that maintains the information and the regulatory and inspection authority created by the LGPD.
The law grants the data subjects the right to require that the data processing requests be clear and reasonable with respect to their purpose, form, duration and controller, as well as the right to challenge the need for said information. The data subject is also entitled to facilitated obtainment of revocation of consent, correction or elimination of data, anonymization or blocking of unnecessary or excessive data; receipt of information on sharing of the data by the controller, among other rights granted by the Law.
A sensitive point in the new legislation, which affects the insurance companies, is the processing of the so-called “sensitive” data (article 5, II, of the LGPD), such as those relating to the health of the insured. These data are extremely important for the pricing of health, life and pension policies, and they shall be processed with the utmost responsibility, as expressly set forth in the LGPD. Pursuant to the law, the companies shall adopt security measures to protect personal data from unauthorized access, distribution, alteration, unauthorized sale or loss. In addition, we note that the LGPD expressly prohibits the use of personal data to the detriment of data subjects who have provided them for regular exercise of their rights (article 21), which results in the prohibition of collection and maintenance of personal data used by the beneficiary in administrative proceedings or lawsuits in order to create restrictions for the provision of services or to aggravate the contract conditions, for example. The LGPD also prohibits data processing by healthcare plan operators for the selection of risks or exclusion of beneficiaries (article 11, paragraph 5).
However, we note that the text of the LGPD (articles 7, II; 11, II, “a”; and 23) permits that the personal data of the beneficiaries be sent by the insurance operators to regulatory agencies for compliance with statutory and regulatory obligations. It further authorizes the exchange of personal data, including sensitive data, waiving the beneficiaries’ consent, for the production of evidence and defense in administrative proceedings and lawsuits, as well as for the protection of health in procedures carried out by health professionals, health services (including those relating to health insurance plans), or sanitary authorities (article 11, II, “d” and “f”).
On the other hand, the implementation of the LGDP will bring new growth opportunities to the insurance market, considering the focus on the most recent insurance modalities resulting from the information age, such as the so-called “Cyber Insurance”, the implementation of which has already been regulated by the SUSEP, for the purpose of protecting the insureds against cybernetic accidents, data leakage and privacy and security violations. The policy of this insurance modality may contemplate the coverage of losses generated by violation of the LGPD, such as defense costs, attorneys’ fees and loss of profits.
In practice, all companies, including insurance companies, shall check if their policies and proceedings are in accordance with the LGPD to avoid any type of sanction (which range from warning to partial or full prohibition to engage in data processing activities). For that purpose, they will be required to change their insurance forms and proposals to expressly, clearly and understandably include information relating to personal data processing (article 9 of the LGPD), noting the need for the express consent of data subjects, so as to adjust to the data protection rules and regulations.
In addition, compliance with the statutory provisions requires the creation of appropriate means to respond to the requests from personal data subjects, as well as to keep the data processing records. It will also be necessary to designate a professional to act as the person in charge, pursuant to the provisions of article 41 of the LGPD.
We further note that, in many cases, the handling of personal data by insurance companies may refer to sensitive data that, although waive the prior consent in some cases, require additional processing care to avoid discriminatory conducts. The processing agents are responsible for the damages caused by inappropriate personal data processing, except if they occur due to the exclusive fault of the data subject or of third parties.
Therefore, the LGPD will directly affect the insurance market activities, whose agents shall have the necessary means to protect the beneficiaries’ personal data, which requires adaptation. The required adjustment of the insurance practices to the LGPD requirements will certainly offer new expansion opportunities, by means of new insurance modalities specifically designed for data processing, and the liabilities resulting therefrom.
Schalch Sociedade de Advogados
Authors: Renato Xavier da Silveira Rosa, Jessica Braga Val, Raphael Semana
Avenida Faria Lima, 4509, Itaim Bibi
Postal Code: 04538-133 – São Paulo, State of São Paulo.
Phone: (11) 3889-8996
E-mail: [email protected]
ROLES IN PERSONAL DATA PROCESSING
a) Data Controllers and Processors
The General Data Protection Law (“LGPD – Lei Geral de Proteção de Dados”) provides for a clear distinction between the roles of the data controllers and processors. According to the legislation, the controller is an individual or legal entity which determines the aspects of data processing. By its turn, the processor is defined as the individual or legal entity which process data on behalf of the controller.
It is important to highlight that the processors’ activities towards data processing activities are subordinated to the corresponding data controllers. As a result, processors must perform such activities according to the parameters established by the controller, which will ultimately decide about the processing.
The data controller shall remain responsible for the data processing undertook by the processor. The controller must not only confirm that the instructions are duly observed, but also certificate that the data processing complies with the applicable rules and regulations. Companies hired for processing databases aiming to improve the assertiveness of marketing campaigns are a common example of the controller- processor relationship.
According to the LGPD, both data controllers and processors must keep register of the data processing performed by them. In addition, the National Agency of Data Protection (“ANPD – Agência Nacional de Proteção de Dados”) may require from the data controller the submission of a report about the potential impact of the processing to personal data. Such document shall contain the following minimum information:
(i) Description of the data collected.
(ii) Details about the data collection methodology and the securities measures applied to the database; and
(iii) Measures, safeguards and systems adopted to mitigate risks to the data processed.
b) Data Protection Officer
The LGPD sets forth that companies acting as data controllers must nominate a representative responsible for the communication and coordination concerning data processing. This representative is named “encarregado” by the Brazilian legislation and its responsibilities are very similar to the ones applicable to Data Protection Officer provided for by the European legislation on data protection (GDPR).
The LGPD does not establish clear requirements applicable to the data protection officer. Important elements and specific details about this representativa are to be set forth by future rules to be enacted by the ANDP. As a result, certain topics are still uncertain, such as the possibility to nominate a legal entity for this role and if there would be any applicable education requirements that the officer shall fulfill.
As mentioned above, the nomination of the officer is a responsibility applied to the data controller. The controller must also make the officer’s identity and contact information publicly available.
The LGPD defines four main responsibilities applicable to the data protection officer:
(i) Receiving complaints and communications from the personal data subjects and providing the corresponding response and/or solution.
(ii) Receiving communications from the ANPD and adopting the corresponding adequate measures.
(iii) Providing instructions to the employees and third parties hired by the company about good practices to be implemented concerning data processing.
(iv) Executing the additional activities, as instructed by the data controller or required by the applicable future legislation.
The LGPD expressly determines that the ANPD will not only enact additional rules applicable to the data protection officer, but may also set forth additional responsibilities for the agent, as well as define companies that may waive the nomination obligation (based on their activities, size or data processing volume).
LIABILITIES FOR DATA CONTROLLERS AND PROCESSORS UNDER LGPD
The LGPD’s main purpose is to regulate data processing and to protect personal data from unauthorized use. The legislation categorizes the data in different groups, according to the potential harm that the unauthorized use may cause to the relevant data subject. In addition, the LGPD also established several hypotheses in which both the controllers and operators may be held liable for damages arising from unlawful data processing.
As previously mentioned, data processing agents are categorized according to their power to decide about the parameters applicable to data processing activities. Considering that controllers have greater power over the final decision about data and in this context, they are linked to a higher degree of accountability before the data subjects, being directly liable for misuse of personal data. By its turn and as a general rule, data processors are liable for damages involving the data processing only in situations in which their actions are not in compliance with the law or with the instructions received from the data controller.
b) Liabilities for data processing agents
Sections 42 to 45 of the LGPD comprise the rules applicable to data controllers and processors concerning their liabilities before personal data subject and the corresponding damage reparations.
In accordance with the current legal framework, the controller is, as a rule, fully and directly liable for the data processing. The data processor may be held jointly liable in case the processing activities were unlawful or were not performed in compliance with the data controllers’ instructions.
It is important to highlight that if the data processing is linked to more than one data controller, all of them are jointly liable for damages arising from such activities.
The LGPD defines unlawful data processing as any data processing activity performed in breach of the data protection legislation or which fail to provide an adequate level of protection to the personal data. The analysis of the sufficiency of the protection level applied comprises elements such as the existence of risk, the means ?? of data processing and the security measures available.
The liability for the data processing agents is subjective, meaning that the fault of the controller or processor must be demonstrated. As a result, the mere existence of damages to the data subject is insufficient to create a compensation obligation (exception made to consumer relations).
In some situations, both the data controllers and processors may be exempt of any liability towards the personal data subject. The LGPD sets forth cases of exclusion of liability if:
(i) The controllers/processor can prove that they did not perform the relevant data processing activity.
(ii) The controllers/processor can prove that the data processing is duly lawful and is not in breach of any agreement; or
(iii) The damages arise solely due to faults caused by the data subject himself or by third parties.
As provided by the LGPD, data processing activities linked to consumer relations are subject to the Brazilian consumer legislation. Accordingly, specific provisions are applicable in those situations, such as the inversion of the burden of proof and the strict liability of the data processing agents.
INTERNATIONAL DATA TRANSFER
In the last few decades, the provision of personal data through various private and public services has become an unavoidable feature of the digital age. Whether for participation in social networks, for using GPS or even for purchasing products and services online.
The global society has been experiencing a real revolution in this aspect for a long time, since individuals stopped being just consumers and became suppliers of information and data extremely valuable to several companies in different segments, whether public or private.
Due to economic globalization, it became evident that the circulation of information and personal data in general would go beyond the territorial borders of countries in the world. For this reason, it is important to regulate the conditions for the processing of personal data at the international level (cross-border data transfer).
The Brazilian legislator was inspired by European data protection legislation (General Data Protection Regulation – “GDPR”) to edit the General Personal Data Protection Law (“LGPD”), which was published on August 14, 2018.
Prior to the LGPD, the Marco Civil da Internet (Law no 12.965/14) was the first legal instrument that initiated addressing users’ rights with regard to international data transfer and was the only infraconstitutional law that established devices specifically dealing with personal data on the networks. See the provisions of article 11:
“Art. 11. Any operation of collection, storage, storage and treatment of records, personal data or communications by connection providers and internet applications in which at least one of these acts occurs in national territory is subject to Brazilian law and must respect privacy rights, protection of personal data and confidentiality of private communications and records.
§1o The above-mentioned provision applies to data collected in the national territory and the content of communications, provided that at least one of the terminals is located in Brazil.
§2o The above-mentioned provision applies even if the activities are carried out by a legal entity headquartered abroad, provided that it offers services to the Brazilian public or at least one member of the same economic group has an establishment in Brazil.
§3o The connection and internet application providers shall provide, in accordance with the regulations, information that allows verification of compliance with Brazilian legislation regarding the collection, safekeeping, storage or processing of data, as well as regarding respect of privacy and confidentiality of communications.
§4o Decree will regulate the procedure for investigating violations of the provisions of this article.”
The Brazilian Civil Rights Framework for the Internet was the first legislation in Brazil regarding Internet governance, as there was no specific legislation in the country dealing with the subject until then.
LGPD: authorization for international transfer and regulation by ANPD
International data transfer was addressed in the LGPD, specifically in Chapter V, Articles 33 to 36, being defined as the situation in which the transfer of such data to a foreign country or international body of which the country is a member occurs.
According to Article 33 of the law, international transfer will only be allowed when:
(i) for countries or international organizations that provide a degree of protection of personal data adequate to that provided for in this Law;
(ii) the controller offers and proves guarantees of compliance with the principles, the rights of the holder and the data protection regime provided for in the LGPD (in the form of: (a) specific contractual clauses for a given transfer; (b) standard contractual clauses; (c) global corporate standards, and (d) stamps, certificates and codes of conduct regularly issued);
(iii) the transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution bodies, in accordance with the instruments of international law;
(iv) the transfer is necessary to protect the life or physical security of the holder or third party;
(v) the national authority authorizes the transfer;
(vi) the transfer results in a commitment made in an international cooperation agreement;
(vii) the transfer is necessary for the execution of public policy or legal attribution of the public service;
(viii) the holder has provided its specific and highlighted consent for the transfer, with prior information on the international nature of the transaction, distinguishing it from other purposes; or
(ix) necessary to meet legal or regulatory obligation by the controller.
Regarding the permission for international transfer of data provided for in item I of article 33, the LGPD is not entirely clear or provide sufficient details when it uses the expression “a degree of protection of personal data adequate to that provided for in this Law”. The review of the degree of protection has been delegated to the ANDPD through the article 34, which should considerer the following when analyzing a specific case:
(i) general and sectoral rules of the legislation in force in the country of destination or in the international organization;
(ii) nature of the data;
(iii) observance of the general principles of protection of personal data and rights of the holders provided for in the LGPD;
(iv) adoption of security measures provided for in regulations;
(v) existence of judicial and institutional guarantees for the respect of personal data protection rights; and
(vi) other specific circumstances regarding transfers.
Despite the relevance of the existence of a national data protection authority, we cannot deny that the regulation is not effective only through standardization, but also through private initiative.
It is also important to highlight that there is great economic interest in international data flows, which is why data transfer is also the subject of several international treaties.
That is the reason why Article 35 of the LGPD determines that the verification of the contractual clauses for a given transfer, as well as global corporate standards, is the responsibility of the ANPD, which will consider the requirements, conditions and minimum guarantees provided by Brazilian law for making private solutions feasible, and may even require supplementary information or carry out verification procedures regarding treatment operations, when deemed necessary.
In addition, the ANPD may designate certification bodies, which will remain under its supervision under the terms to be defined in regulations, noting that the acts performed by such bodies may be reviewed by the national authority and in case of non-compliance with the LGPD, may be canceled. Any changes in the guarantees presented in compliance with the general principles of data protection and the fundamental rights of the holder, listed in article 33, item II of the LGPD, must be communicated to the national authority.
Despite several similarities with the GDPR, the structure of the LGPD standard that deals with international data transfer has a relevant difference in relation to the European standard. The Brazilian legislator chose to allow the international transfer of data for compliance with legal or regulatory obligations by the controller, contrary to the rules established by GDPR.
Finally, the international transfer of data within the scope of the LGPD is restricted to framing the hypotheses listed in article 33 of the legislation, highlighting the rigor and similarity between Brazilian and European legislation. Such elements reinforce Brazil’s commitment to the protection of personal data and puts it on the path to being recognized by the European Union and other international organizations as a jurisdiction with an adequate level of protection for personal data.
Authors: Renata Armonia, Bruno Guilhem e Natália Dantas
Fleury, Coimbra & Rhomberg Advogados
Rua do Rocio, 350 – 10º andar – Vila Olímpia
BR-04552-000 São Paulo – SP
Tel +55 (11) 3294 1600
Compliance with the Brazilian Data Protection Law (No. 13,709/2018): Measures and Roadmap
Data-related technology has considerably grown as in artificial intelligence, machine learning, virtual reality, facial recognition, data mining softwares and internet of things (IoT). It is largely known that companies use personal information from individuals as a source of profit and to increase their assets.
In this Dataconomy context and driven by the ‘viral effect’ of the General Data Protection Regulation of the European Union (EU) 2016/679 (hereinafter ‘GDPR’), the Brazilian Data Protection Law (Law No. 13,709/2018, hereinafter ‘LGPD’) was approved in 2018 in order not to prohibit the processing of data, but actually to ensure greater transparency to individuals about the use of their information by third parties, as well as to promote legal certainty to companies about the criteria and measures that need to be taken for protecting the information processed avoiding sanctions and unexpected penalties.
The LGPD is largely aligned with the GDPR and prescribes many similar rules to it, especially with regards to data subjects’ rights, legal principles, some of the basis that allow data processing, extraterritorial application, and other provisions.
On the other hand, there are differences between the Brazilian and European regulations, e.g., the LGPD provides four additional legal basis for processing personal data (health protection, protection of credit, for carrying out legal studies by research entities, storing for regular exercise of rights in judicial/administrative/arbitration proceedings); the deadline to reply data subjects’ rights requests is of 15 (fifteen) days – half of the GDPR’s – with a clearly defined content indicated in article 18 of the law; the LGPD provides that both controller and processor must appoint a Data Protection Officer, although it does not determine the independence of the DPO nor does the law specify circumstances when they should be indicated, leaving for the Data Protection Authority (hereinafter ‘ANPD’) the role to complement the regulation.
The LGPD relevance immediately impacted on the judiciary. Judges started expressly mentioning it in relevant decisions even before its effectiveness. As an example, there was the leading case in which the Supreme Court of Justice decided that the protection of personal data must be guaranteed as a constitutional fundamental right although omitted from the text, directly impacting in further interpretations on the use of personal information 1.
It is ultimately important to comply with the regulation. In addition to the penalties that can be applied by the Courts, security incidents can be disastrous to companies. A study conducted in 2019 by the Ponemon Institute2 at the request of IBM Security concluded that in Brazil the average cost of a data breach amounts to US$ 1.35 million. It is not only a matter of considerable financial loss but also to avoid damages to the company’s image in the market which result in losing consumers and credibility.
For the correct processing and mitigation of risks in their activities, companies must observe best practices and methods of compliance as detailed further below.
Compliance Procedure: scope
As for the compliance procedure, the LGPD describes an active and anticipated posture that must be embraced by companies – both controllers and processors – based on three pillars:
(i) corporate governance: apply technical and administrative measures for managing data flow must be implemented guided by the principle of accountability aiming at a culture of privacy and data protection in the company with a holistic approach. Privacy by design and by default ought to be applied since the conception of products and services. The governance actions includes codes of conduct, infrastructure organization, trainings, workshops;
(ii) technology and information security: procedures, systems, and methods for the security of information processed in digital and physical means comprising technical and administrative measures capable of protecting the information from accidental or unlawful situations against processed data, such as unauthorized disclosure, access, loss, or alteration. Since the LGPD has mainly open clauses and broad concepts, it will be up to the ANPD to define the exact measures expected to guarantee confidentiality, integrity and availability of the data processed by companies. We suggest applying methods under the ISO/IEC 27001 and 27701, and
(iii) legal: analysis of data processing, information mapping, applying legal basis for the data handling, minimizing/deleting excessive data, adapting contracts with providers, partners, employees, intercompany agreements, drafting documents for onboarding, privacy and security policies, eventually drafting the Legitimate Interest Assessment (LIA) and the Data Protection Impact Assessment (DPIA), preparing for incident response and reports to data subjects and the ANPD.
Some of the principles and obligations to be adopted in assessing and preventing data security risks are as follows:
I. Privacy by design and by default. Controllers and processors must adopt policies and measures that meet these principles. As explained by the ICO (Information Commissioner’s Office, the UK Supervisory Authority), ‘this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle’. It is about having concern with security protection of data since the conception of the business model, products, and services to minimize the impact on data subjects and process their data in a transparent way3.
II. Security and confidentiality of data. Controllers and processors must keep software and networks secure, guarantee confidentiality and integrity of the data, in addition to the immediate availability of processed information if so requested by data subjects. It is highly recommended to train employees from key areas of the company with access to personal data such as marketing, legal, information and technology security teams, financial, human resources, in order to enforce the policies and establish a privacy culture.
III. Accountability. The increasing digitalization of companies leads to inevitable security incidents with undue data exposure. Effective preventive measures must be taken to safeguard the integrity and confidentiality of the data, an essential element for fulfilling the legal obligation of accountability (article 6, X of the LGPD) and minimizing risks of penalties.
III. Incident Notification. The controller must inform the ANPD and data subjects about incidents capable of causing significant risk or damage. This communication must be done within a reasonable time by the DPO and follow the procedure provided for by article 48 of the LGPD. Several points of the law are still pending regulation by the ANPD, including the need to determine the interpretation of “significant risk or damage” prescribed in the article abovementioned.
Compliance Procedure: tailor-made approach
The is no ‘one size fits all’ pattern for the compliance procedure. One must craft the method according to the real needs, business model, priorities, and ambitions of the company. The approach must be adaptable and flexible to create personalized and holistic strategies for the company.
It is possible to deliver a lean compliance program. It is worth mentioning that our law, unlike the GDPR, is not procedural but eminently related to principles. It will be up to the ANPD to establish clear, detailed, and specific complementary guidelines.
The procedure does not finish or terminates after the roadmap. Either because new regulations are created or due to the fact that the company is alive and constantly changing its business, data processes, hiring employees, developing services and products, drafting new guidelines, hence the compliance must be often monitored. Depending on the size and structure of the company, the designation of a multidisciplinary committee is suggested to follow the procedure, lead the project and make decisions according to the business model and needs.
Although there are no guidelines in Brazil, one of the most indicated international methodologies for the data protection compliance is the Privacy Impact Assessment (PIA). According to the Comission Nationale de L’Informatique et des Libertés (‘CNIL’)’s PIA guide, ‘the PIA rests on two pillars: (i) fundamental principles and rights, which are ‘non-negotiable’, established by law and which must be respected and cannot be subject to any variation, regardless of the nature, severity and likelihood of risks; and (ii) management of data subjects’ privacy risks, which determines the appropriate technical and organizational controls to protect personal data 4.
In a nutshell, as established in the CNIL guide, the compliance approach implemented by carrying out a PIA must observe the following privacy principles:
- respect of legal principles for privacy protection (specified, explicit and legitimate purpose; adequate, relevant and not excessive data; clear and full information to data subjects; limited retention period; the right of opposition, access, correction and deletion, etc.), to determine and justify the relevance of the controls intended to meet these requirements;
- management of risks related to the security of personal data and having an impact on data subjects’ privacy in order to “take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties”.
Compliance Procedure Stages
The stages of the roadmap, as already explained above, will depend on the reality, and needs of the company. Below, we briefly describe each of the ones we suggest must be followed for the minimization of risks.
1. Awareness Workshop
The initial stage of the compliance procedure aims at creating awareness and making the employees familiar with the LGPD terms and rules, as well as explaining them about the work method to be implemented and their role in it. By this, a culture of privacy is immediately inured, and the employees start better observing how they process data in their routine activities.
2. Data Mapping
According to article 37 of the LGPD, controllers and processors must keep a record of processing activities (RoPA) carried out by them, especially (but not only) when based on legitimate interest. To comply with this obligation, at this stage we aim at identifying businesses and data processes, the flow and lifecycles of the information inside and outside of the company, (data accessed, collected, used, transferred, stored or shared), including their commercial relations with suppliers and partners, as well as current privacy and security policies. Additionally, the following steps are followed:
- Drafting the Record of Processing Activities (RoPA) after questionnaires and interviews conducted with key employees;
- Legal assessment of the data processes, including checking if each of them is sustained by the legal bases and whether it is possible and convenient to keep those data. It is also imperative to analyze the legitimacy and confirm the validity of each data process in view of the legal principles (article 6 of the LGPD), storage time, data categories (personal or special), purposes, criteria for cross border transfer and sharing, good practices adopted (article 50 of the LGPD).
- Assessment of information security measures on processes.
- Analysis of gaps and assessment of risks on processes.
The development of this stage is fundamental for the compliance procedure and can be quite complex, especially considering the absence of guidelines on what should be included in the RoPA, as this will be informed by the ANPD.
In specific cases where a company processes data in large-scale, a Data Discovery can be performed prior to the Data Mapping. For the Discovery, an IT company provides a software that is accessed from client’s systems in order to automatically read personal data from its structured and unstructured databases, by using algorithms. These services can result in false positives/negatives and be highly expensive.
3. Gap Analysis, Risk Assessment, Diagnosis, Reviewing
This stage consists in the identification of points of attention with regards to the LGPD compliance, including gaps analysis and risk assessment in the context of data flows and their processing activities. A diagnosis is developed and, further on, documents and contracts appointed as needed are reviewed. Below, please find more details about this stage:
- evaluation of structure organization and processes disparities and definition of their impacts;
- analysis of gaps, risks and vulnerabilities on proceedings and documents such as: policies, governance, regulations, proceedings, data protection clauses, contracts (with clients, partners, services and products providers, employees, third parties with access to the personal and sensitive data, intercompany agreements, etc.), consent management, means adopted to guarantee data subjects rights, DPIA proceedings and Privacy by Design practices, management of incidents including data subject and authority notification, proceedings and instruments for cross border transfers (Chapter X of the LGPD), and
- Drafting an action plan for the implementation of policies, technical and organizational measures on privacy, data protection and information security.
4. Drafting and Implementation
The content of this stage will depend on the previous stages. The implementation is planned and created encompassing legal, organizational, and technical measures according to applicable privacy and sectoral rules. The implementation must prioritize risks and follow a strategic direction to keep the largest amount of data as possible, as long as the LGPD is respected. Usually, it includes:
- Drafting agreements and data protection clauses for the documents and legal relationships previously indicated;
- Drafting technical documents, internal privacy and security policies and awareness materials;
- If needed, draft the Legitimate Interest Assessment (LIA) and/or the Privacy Impact Assessment (DPIA);
- Training employees and eventually business partners;
- Help client create a governance structure responsible for the continuance of the privacy project and for actions to implement the new corporate culture as well as to allow a PDCA method (Planning, Doing, Checking, and Acting);
- Define the structures for managing consents and to comply with data subjects requests related to their rights (if accurate), proceedings for international data transfers, incident management and notification to data subjects and ANPD, appointing the Data Protection Officer/Office (including the possibility of a company).
Finally, monitoring the proceeding is often needed to observe and maintain the policies and methods implemented, which is also needed due to eventual modifications in the business, processes, hiring of employees or developing new products/services. This may include:
- Maintenance of the personal data inventory and data transfer mechanisms;
- Management of the internal data protection and privacy policies;
- Management of awareness and training, information security risks, third party risks and alerts/notifications;
- Monitoring of new operational practices;
- Data loss management program;
- Monitoring requirements of regulatory authorities, and
- Ensuring correct responses to security and privacy incidents.
It is worth considering that monitoring is of utmost importance given that the legislative and national regulations on privacy and data protection, in addition to being new, are constantly evolving. Also, it is worth remembering that the ANPD has the responsibilities to draft guidelines and interpret the LGPD clauses.
As explained in this text, the compliance procedure seeks to engage the company in a culture of data protection and information security in order to maintain the new practices and policies implemented during the roadmap. Consequently, it is vital that the company hires competent experts with large experience willing to deal with the obstacles already expected due to the need of an interpretation about the LGPD to be issued by the authorities.
1 – ADI 6387, ADI 6388, ADI 6389, ADI 6390, ADI 6393 – Supreme Court of Justice, decision rendered on May 07, 2020.
2- Ponemon/IBM study available on <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ibm.com_security_data-2Dbreach&d=DwMGaQ&c=Ftw_YSVcGmqQBvrGwAZugGylNRkk-uER0-5bY94tjsc&r=K6EQ_GLu9gPjgedHpmKAh0RmMqvn1V-9XThlPU4OkQg&m=L2qWp0jL5SlACHR4u-u3xqFCsrlmnMVgyHaUpfQtK-8&s=9EOWXGiAS2KR-4HP_v1cU3mLfg83R3Xt41fjOENwG60&e=>
3 – The European Data Protection Board (EDPB) has issued the guidelines 4/2019 on the obligation of Data Protection by Design and by Default <https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201904_dataprotection_by_design_and_by_default.pdf>.
4 – PIA, Methodology. Privacy Impact Assessment (PIA). Methodology (how to carry out a PIA). CNIL, June 2015 Ed.
Authors: Clarissa Luz and Júlia Ribeiro
Felsberg e Pedretti Advogados e Consultores Legais
Av. Cidade Jardim, 803 – 5º andar
BR-01453-000 São Paulo – SP
Tel (11) 3141 3620 / (11) 3141 9185
Fax (11) 3141 9150
GOOD PRACTICES AND CORPORATE GOVERNANCE IN LGPD
By enacting, in August 2018, Law No. 13,709 / 2018, better known as the General Data Protection Law (“LGPD”), Brazil took an essential step towards establishing special rules aimed at protecting personal data.
Declaredly inspired by the European regulation on the protection of personal data, the General Data Protection Regulation (“GDPR”), the LGPD came to ensure in Brazil the cultural change that has been demanded worldwide in the processing of personal data.
As a consequence of technological evolution, with businesses being captured and closed based on personal data, these data have become a real asset with high economical added value, which has led to the growing and indiscriminate practice of personal data transactions.
To regulate this practice and any damages that it may cause to the holders of these data specific laws for the protection of citizens’ rights have been issued globally. Those Laws include the right to privacy and personal data, protection that currently configures a requirement required by countless countries for doing business with other jurisdictions.
Thus, countries that do not have a specific law to protect personal data may have their economic development affected, insofar as this implies lost opportunities. Also, even if the country is adequately regulated, companies can only remain competitively active if they can prove the effective observance of legal provisions.
To comply with the rules established by the new Law and ensure that they comply with the LGPD, companies will need to create operational procedures that apply to their daily routines, as compliance programs, which initially aimed to meet the requirements of the Laws Anti-Corruption and Money Laundering Prevention.
It should highlight that the term compliance comes from the English verb “to comply”, which is nothing more than acting according to a specific rule. Therefore, although compliance programs have been widely disseminated in Brazil based on the regulations mentioned above, the LGPD certainly brought an evident need for companies to have structured programs aimed at complying with data protection rules.
In line with the principle of responsibility brought by GDPR, LGPD reaffirms the duties of the agents responsible for the processing of personal data (controller and operator) and, on the other hand, requires such agents to prove that the processing of personal data is carried out in compliance with legal principles and bases.
Therefore, precisely because of this assumption of responsibility regarding the processing of personal data, companies must incorporate into their daily routines and operations, the seriousness with care in the processing of personal data, to ensure its holders the security legally required.
It is with a focus on good practices and governance, represented in a good compliance program that this article seeks to expose the points to be observed by companies for purposes of adapting to the LGPD.
2. Good Practices and Governance
It is a fact that our current reality has given more relevance to the protection of personal data and started to demand the existence of safe and adequate treatment of the data, in place of the old (although still current, in practice and the process of cultural change) precarious knowledge holders concerning their rights and practices regarding the processing of their personal data.
In this new protectionist scenario of the holder of personal data, the treatment of such data requires specific care, which is why the implementation of governance programs in privacy and protection of personal data become essential for any company that wishes to comply with Brazilian legislation, this not to mention a differentiated condition in the market.
For this reason, the company’s stakeholders, the so-called “stakeholders,” must have a concern directed to this topic, being responsible for leading the initiatives for its implementation and making sure that all employees and related third parties follow the structure of good practices for the protection of personal data.
2.1 The provision in the LGPD
It is precise with a focus on measures of good practices and governance that the LGPD, in its article 50, establishes that the controllers and operators, according to their competences concerning the processing of personal data, can formulate rules of good practices and governance that define:
“(…) the conditions of organization, the operating regime, the procedures, including complaints and petitions from holders, the safety rules, the technical standards, the specific obligations for the various involved in the treatment, the educational actions, the internal risk supervision and mitigation mechanisms and other aspects related to the processing of personal data.”
As seen, the Law allows treatment agents to formulate rules of good practice and governance, presenting a series of measures to be followed to define the procedures that aim to ensure the effectiveness of the compliance program, that is, the correct and adequate protection of personal data in activities that require processing.
For this to be achieved, companies will need to define a set of actions internally, taking into account, concerning the treatment and data, the nature, scope, purpose, probability, and severity of the risks and benefits resulting from the treatment data of the holder.
It is worth noting that among the principles that the LGPD imposes for the treatment of personal data, two apply to good governance practices, namely, the principle of security and that of prevention.
The principle of security is defined in the LGPD (Art. 6, VII) as “the use of technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or diffusion”.
The prevention principle, in turn, is described in the LGPD (Art. 6, VIII) as the “adoption of measures to prevent the occurrence of damages due to the processing of personal data.”
For the application of these principles, the LGPD establishes that the controller, considering the structure, scale and volume of its operations, as well as the sensitivity of the processed data, the probability and the severity of possible damage to the data subjects, may implement privacy governance program that at a minimum:
“a) demonstrate the controller’s commitment to adopt internal processes and policies that ensure compliance, comprehensively, with rules and good practices regarding the protection of personal data;
- b) applies to the entire set of personal data that are under its control, regardless of how it was collected;
- c) be adapted to the structure, scale and volume of its operations, as well as to the sensitivity of the processed data;
- d) establish appropriate policies and safeguards based on a systematic assessment of impacts and risks to privacy;
- e) has the objective of establishing a relationship of trust with the holder, through transparent action and that ensures participation mechanisms of the holder;
- f) is integrated into its general governance structure and establishes and applies internal and external supervisory mechanisms;
- g) count on incident response and remediation plans; and
- h) is constantly updated based on information obtained from continuous monitoring and periodic evaluations;”
In practice, it is possible to verify that part of the minimum requirements set out in the LGPD, except for those specific provisions on personal data, are already observed in traditional compliance programs. This is because these programs also focus on registering and enabling the verification of all measures adopted by the institution to demonstrate the effectiveness of the program and, consequently, the commitment to comply with the Law.
In this sense, it seems to us that the creation and/or updating of the company’s Internal Policies is essential in order to add and/or adapt the rules and procedures aimed at data protection, being essential the training and updating of all employees, whether they are from the technical, management, third parties, among others.
Thus, except for the new technical requirements related to the topic of personal data protection, the rules of good practices and governance to be defined do not escape the characteristics usually verified in conventional compliance programs.
2.2 Primary Grounds
The support of top management in the implementation of these programs in all departments of the company is crucial to its success, not only ensuring the necessary resources for their execution, but also through the adoption of a position of commitment and declared support.
This support is essential for the creation of a corporate culture that values respect for the new rules for the protection of personal data, which is why it is necessary to understand, at all levels of the company, that ownership and control over personal data they belong exclusively to the holders themselves, who must be guaranteed full transparency and participation in decision-making.
Only with the understanding of this new culture will the new governance and compliance rules be able, according to the legal requirements and the relevance of the protection of personal data, to be an integral part of all these processes to reach the appropriate level of data protection.
However, for this to happen, companies must know all the personal data processed by their departments, as well as its life cycle, which should include all stages of treatment, from collection to transfer / sharing, until its elimination.
For the basis of an effective governance program, it is essential to define clear policies, which must be created and implemented to reach all departments and, consequently, to provide training to all employees, to disseminate the new practices to be adopted and clarify any doubts.
Also, to ensure its effectiveness, continuous risk assessment is necessary, with the adoption of preventive control measures and regular review of policies for updating as needed, not least because the LGPD itself, in its article 50, §3, establishes the obligation to publish and periodically update the rules of good practice and governance.
Once all of these procedures have been carried out, it is essential to create a safe and reliable communication channel to ensure that employee participation, whether to request clarifications or, even, to promote complaints. It is a mechanism that makes it possible to monitor behaviors and prevent the commission of illegal acts, which allows the adoption of the necessary preventive measures. For companies that already have compliance programs in place, there is no need to create a new channel, but only to adapt the existing whistleblowing channel, in order to direct any accusations to the correct professionals.
In order to achieve the main objective of the compliance program, which is the prevention of illicit acts, continuous monitoring is essential to verify that the recipients, whether internal or external, are complying with the rules and rules established in the program, as well as promoting eventual adjustments to these norms and rules.
2.3 Evidence of Effectiveness
In addition to the implementation of the privacy governance program, the LGPD also provides for the effectiveness of the privacy program, which can be done due to a request by the national authority or any other entity responsible for promoting compliance with good practices and the Law.
It is worth mentioning that good compliance programs are based on the correct identification of existing risks, related to the activity of the agent who performs the treatment, and the implementation of procedures that respond to them appropriately and proportionately. The existence of written rules is not enough; it is necessary that the company is able to prove compliance with these rules.
In summary, proof of effectiveness requires a periodic reassessment of risks and the implementation of necessary adaptations. There must be a commitment on the part of top management in the efficient performance to identify and act to minimize the risks verified, as well as the insertion and availability of efficient means of communication, both internally and externally.
3. Structuring the Data Protection Program
With the understanding of the importance of good practices in corporate governance for the structuring of a Data Protection Program, it is necessary to start to go a long way of construction that will go through some stages until we can have an adequate policy to the new corporate reality in the personal data flow ecosystem.
We call the deployment framework the grouping of these phases into central processes that must be observed in a sequenced manner. It is important to note that the first significant step in any structuring is precisely to establish the bases of the Framework itself, that is, what is the process flow that should be followed.
In this case, the essential processes of any standard framework are (i) data mapping; (ii) risk assessment; (iii) creating policies; (iv) training of stakeholders; (v) data management; (vi) internal controls; and (vii) compliance.
3.1 Data Mapping & Risk Assessment
Data Mapping and Risk Assessment are fundamental for building a solid foundation for the Framework and are part of a diagnosis that will guide the next steps of each process.
Data mapping has the function of identifying which personal data are processed and by which areas they travel within the company environment, be it physical or virtual. The data controller will be responsible for analyzing the life cycle of this information, managing the consent of its owners, managing how the data is treated in the company, storage, potential portability and elimination of that data.
With this mapping done, it is essential to understand what are the risks involved and inherent in all this data flow, from the moment of its collection, until its elimination. At this moment, after data mapping, there are a series of questions that can be asked to identify the risks involved in the treatment of this data (“risk assessment”).
The questions should aim at identifying and addressing the following aspects regarding the collection and maintenance of personal data: (i) nature of the data; (ii) need for collection; (iii) form of treatment; (iv) legal basis; (v) storage; (vi) data access; (vii) security; (viii) sharing; and (ix) registration of the collected data.
3.2 Internal Policies and Controls
After mapping and evaluating, including coping with the questionnaire, it is already possible to build a policy customized to the needs of the company, including the peculiarities of each segment in line with the adopted Framework.
The so-called Internal Controls, represent the regulations that will provide the rules for assessing compliance with policies, including internal audits, frequency of assessments, and training.
3.3 Training of Stakeholders
Periodic training in order to raise awareness among employees and third parties connected to the company is essential to achieve an acceptable level of compliance with the LGPD. It is important to point out that it is highly recommended that these trainings be registered, and transmitted with recurrence and recycling, as a way to always keep all employees up to date and aware of the corporate data protection policy.
3.4 Data Management and Compliance
The collection and processing of data must be a restricted assignment within the corporate environment. It is crucial that all procedures provided for in the Law and the Framework are strictly observed at this stage.
At this point, few stakeholders should have permission and reach to manage the data that travels on the company’s network, whether physical or virtual information.
Having a data collection and treatment policy already in place, it is essential to maintain mechanisms for managing the consent of the data subjects and the data life cycle, that is, for how long these two factors remain valid, in force, and legitimate. The criteria for this consent must be raised when the Framework is established, which, at least in this respect, must be revisited from time to time, since the authorities can institute/change specific practices for certain markets.
3.5 Supplier Awareness and Contract Review.
Unfortunately, it is not enough that the program is fully functioning only within the company; it is necessary that business partners also go through an awareness protocol and are in line with company policies.
For this purpose, it is recommended to revise the contractual draft with the insertion of clauses that contemplate the new provisions of the LGPD, and in contracts already in force that ensure globally the observance of the provisions contained in the Law.
In addition to contractual reviews, as a way to optimize the adequacy and structuring of the program, as well as to mitigate the risks of non-compliance, a very convenient alternative is to extend data protection training to the central business partners.
In general, good corporate governance practices represent a fundamental pillar of any data protection program implementation. Not only because the Law expressly mentions the need for such an element, but also because it is in these practices that companies will be able to materialize their diligence and good faith in the observance of the Laws.
Considering that we are facing a scenario of uncertainties, in which there is no way of specifying the true reflexes of the validity of the new General Data Protection Law in the medium and long term, the consistency of internal policies and good corporate governance will be fundamental so that companies reach a safe level in data protection.
Cadernos de Direito Empresarial, 15ª Vol, 2020, Gaia Silva e Gaede Advogados.
Juliana Joppert Lopes
Senior Manager of the Business Consulting area at Gaia, Silva, Gaede & Associados – Law Firm in Curitiba
Master in International Business Law from The London College – UCK
Graduated in Accounting Management from the Faculty of Business and Economics – FAE
Specialist in Business Law from the Brazilian Academy of Constitutional Law – ABDCONST
Lawyer graduated from Centro Universitário Curitiba – UniCuritiba
Jennifer Mayumi Mori
Senior Lawyer in the Business Consulting area at Gaia, Silva, Gaede & Associados – Law Firm in Curitiba
Graduated degree in Civil Procedure from the Romeu Felipe Bacellar Law Institute
Specialist in Applied Business Law – LLM by Faculties of Industry – FIEP System
Lawyer graduated from Centro Universitário Curitiba – UniCuritiba
Vanessa Cristina Santiago Giugliano
Partner in the Corporate Law area of Gaia Silva Gaede & Associa¬dos in São Paulo
Master in Business Law from Fundação Getúlio Vargas – FGV / SP
Specialist in Corporate Law from Fundação Getúlio Vargas – FGV / SP
Graduated in Civil Procedure from the Pontifical Catholic University of São Paulo – PUC / SP
Graduated in Law from the Pontifical Catholic University of São Paulo – PUC / SP.
Marina Martinez Prazeres Sant’Anna
Senior Lawyer in Corporate Law at Gaia Silva Gaede & Associados in São Paulo
Postgraduate in Business Law from the Institute of Education and Research – INSPER
Graduated in Law from IBMEC-Damásio
Gaia Silva Gaede Advogados
Rua da Quitanda, 126
BR-01012-010 São Paulo – SP
Tel (11) 3797 7400