News

New legislation

Brazilian General Data Protection Regulation is in force

23 September 2020
New legislation

After years of debate in Brasília, the Brazilian General Data Protection Regulation (BRGDPR) came into force last Friday (09.18.2020), Legislation no. 13.709/2018, inspired in its European equivalent legislation. The BRGDPR formalizes the definition of personal data and regulates its storage and processing by any legal entity, public or private, or person, that treat personal data (collection, classification, processing, etc.) in Brazil.

Having the BRGDPR in force represents a huge achievement for Brazil, that before starting discussions regarding the Legislation in the Senate house – even overturning a decision from the Congress to delay the Legislation enforcement – did not have a consolidated culture of personal data protection. Although some other legislations did touch the topic – e.g., the Constitution and the Internet Bill of Right – Brazilian legal guidelines for personal data use was uncertain, which could lead to security incidents.

The BRGDPR starts with an already approved Data Protection National Authority (DPNA), established by the Provisory Act MP 869/2018, although not yet operational. The DPNA is a direct public administration entity, connected to the President, with the mission to supervise compliance to BRGDPR .

In this context, companies conducting personal data treatment operations in Brazil need to attempt to comply with the new series of standard and procedures defined by BRGDPR. Bellow, we highlight some examples of adjustment to be observed and followed by companies:

Consent Forms regarding the use of personal data need to be created or revised to allow the owners to freely and unequivocally manifest themselves about the use of their data for a determined purpose;

A Data Protection Officer (DPO) must be nominated – articled 41 of BRGDPR – to act on the communication channels with the DPNA and the data owners, as well as to be in charge of internal process changes and organization;

A structure must be in place to respond to data owner demands, allowing them to verify if their rights are being respected;

Responsibilities of suppliers or business partners need to be explicit in contracts in order to avoid unexpected liabilities;

Internal programs must be implemented to ensure that collaborators are able to deal with personal data, within the scope of their roles;

Administrative penalties, warnings and fines can reach up to BRL50,000,000.00 (fifty million Brazilian reais) each infraction, e.g., abuses and security incidents regarding personal data use.

Emphasizing the importance of complying with BRGDPR, this Monday (09.21.2020) a Brazilian company was surprised with the first lawsuit regarding data protection filed in Brazil. Originated by Federal Prosecutors` Data Protection and Artificial Intelligence Unit – ESPEC’, the Public Civil Action (lawsuit no. 0730600-90.2020.8.07.0001, in course on Brasília’s 5^th Civil Court) has the purpose of sentencing the company to delete all personal data treated unregularly, with legal basis on the 5^th article of BRGDPR.

With this court action, it is possible to observe that, even though administrative fines will only be collected in August 2021, there is an urgent need to be in compliance with BRGDPR since penalties and fines can already be applied on litigation. In this case, ESPEC has requested a preliminary injunction to freeze the defendant company website until a final decision is rendered, claiming the termination of the domain due to the understanding that the company sells through its page products with irregular personal data.

Aiming to support the drafting and implementation of initiatives to the compliance of companies with the BRGDPR, ClarkeModet Brazil has the experience of dozens of projects implemented of the past to its European Clients. ClarkeModet’s specialized collaborators on the matter are in disposal to understand clients’ specifical situations and delineate complete plans of adequation, leading to the avoidance of future liabilities with the Legislation enforcement.

Patrícia Falcão and Mauro Ferreira. ClarkeModet Brazil.

¿Te ha parecido interesante? ¡Compártelo!