The new Brazilian General Personal Data Protection Law (LGPDP – Federal Law nº 13.709/18) establishes new paradigms with the objective of safeguarding the fundamental rights to freedom, privacy and the free development of the individual, having as its basis the inviolability of intimacy, honor, image, among other human rights related to the personality.
The new rules will enter in force in 2020, but its rules are already being interpreted, in view of the importance to implement the needed adjustments regarding data processing operations.
Personal data is defined in an ample manner, as being any information related to an individual that may identify them.
The legal text also shows care in protecting sensitive data, that is, information about the racial or ethnical origin, religious conviction, political opinion, enrollment in a union, organization of a religious, philosophical or political character, as well as information related to health, sexual life, as well as genetic or biometric data.
Generally, the processing of personal data may only be done with express consent of their owner. It may also be done for the fulfillment of a legal obligation, for the performance of studies, agreement, regular exercise of a right in a lawsuit, protection of life, protection of health, or when needed to fulfill the legitimate interests of the controller[1].
To the owner of the data are guaranteed legal prerogatives regarding their access, correction, anonymization, portability or even revocation of consent. Also, the defense of the interests and the rights of the owners may be done judicially, individual or collectively.
The government must also process data in a manner that the shared used of information matches specific ends of public policies and legal attributions, being prohibited, as a rule, to transfer to private entities the elements that consist its database.
Anyway, the hypotheses of liability set forth in the case of violation to the rules deserve attention. The controller or operator[2] that, due to the exercise of activity of data processing, causes patrimonial, moral, individual or collective damages will be obligated to repair them.
Technical and administrative security measures must be adopted as to protect the data from unauthorized access and from accidental or illicit situations, as well as establishing rules of good practices and of governance that establish conditions, rules and technical standards.
To finish, it must be highlighted that the administrative sanctions, in case of infractions, may range from a warning and daily fine to the application of a fine fixated in two per cent (2%) of the legal entities revenue, limited to fifty million reais (R$ 50,000,000.00) per infraction, being also possible to make the infraction public, blocking or elimination of data.
Whether by the complexity of the theme or by the fact that it is a new situation on the legal universe still pending of analysis, interpretations or definitions for its consequences, it is important that problems involving personal data violation be accompanied by capable professionals of the legal area, who may help to identify the best solution for each case.
News
Articles
Cases
