After years of debate in Brasília, the Brazilian General Data Protection Regulation (BRGDPR) came into force last Friday (09.18.2020), Legislation no. 13.709/2018, inspired in its European equivalent legislation. The BRGDPR formalizes the definition of personal data and regulates its storage and processing by any legal entity, public or private, or person, that treat personal data (collection, classification, processing, etc.) in Brazil.
Having the BRGDPR in force represents a huge achievement for Brazil, that before starting discussions regarding the Legislation in the Senate house – even overturning a decision from the Congress to delay the Legislation enforcement – did not have a consolidated culture of personal data protection. Although some other legislations did touch the topic – e.g., the Constitution and the Internet Bill of Right – Brazilian legal guidelines for personal data use was uncertain, which could lead to security incidents.
The BRGDPR starts with an already approved Data Protection National Authority (DPNA), established by the Provisory Act MP 869/2018, although not yet operational. The DPNA is a direct public administration entity, connected to the President, with the mission to supervise compliance to BRGDPR .
In this context, companies conducting personal data treatment operations in Brazil need to attempt to comply with the new series of standard and procedures defined by BRGDPR. Bellow, we highlight some examples of adjustment to be observed and followed by companies:
Emphasizing the importance of complying with BRGDPR, this Monday (09.21.2020) a Brazilian company was surprised with the first lawsuit regarding data protection filed in Brazil. Originated by Federal Prosecutors` Data Protection and Artificial Intelligence Unit – ESPEC’, the Public Civil Action (lawsuit no. 0730600-90.2020.8.07.0001, in course on Brasília’s 5th Civil Court) has the purpose of sentencing the company to delete all personal data treated unregularly, with legal basis on the 5th article of BRGDPR.
With this court action, it is possible to observe that, even though administrative fines will only be collected in August 2021, there is an urgent need to be in compliance with BRGDPR since penalties and fines can already be applied on litigation. In this case, ESPEC has requested a preliminary injunction to freeze the defendant company website until a final decision is rendered, claiming the termination of the domain due to the understanding that the company sells through its page products with irregular personal data.
Aiming to support the drafting and implementation of initiatives to the compliance of companies with the BRGDPR, ClarkeModet Brazil has the experience of dozens of projects implemented of the past to its European Clients. ClarkeModet’s specialized collaborators on the matter are in disposal to understand clients’ specifical situations and delineate complete plans of adequation, leading to the avoidance of future liabilities with the Legislation enforcement.
Patrícia Falcão and Mauro Ferreira. ClarkeModet Brazil.