Brazil

The Brazilian Federal Constitution grants protection to the intimacy, private life, honour and image of the individual as a fundamental right. It also establishes that one’s mail, data and telephone communications are inviolable, except by a court order and within the context of criminal investigations, and provides for a remedy named habeas data, which can be used to rectify and to give access to information included in public records or databases. In the infraconstitutional sphere, historically, Brazil has adopted a sectorial regulation on privacy, data protection and cybersecurity matters.

On 15 August 2018, however, the Brazilian Data Protection Law (LGPD) has passed, regulating the use of personal data in Brazil by private and public entities in all economic sectors, both in the digital and physical environment. Inspired in the European Data Protection Regulation (GDPR), the LGPD is intended to radically change the Brazilian data protection system, and will become effective on 15 February 2020.

Because the LGPD did not revoke any pre-existent sector-specific laws, specific obligations may continue to apply to organisations based in such laws, in addition to the requirements imposed by the LGPD.

Last verified on Thursday 6th December 2018

Brazil

Yes, article 5, items X and XII, of the Brazilian Federal Constitution grants protection to privacy and data protection as fundamental right of the individual.

Last verified on Thursday 6th December 2018

Brazil

Yes. As previously mentioned in answer 1, the LGPD comprehensively regulates the use of personal data in Brazil. The LGPD is applicable to any processing operation performed by an individual or legal entity, whether public or private, regardless of the means, the country where it is headquartered or the country where the data is located, provided that:

• the processing operation occurs on Brazilian territory;
• the processing operation has the goal of offering or providing goods or services or the processing operation relates to personal data of individuals located on Brazilian territory; and
• the personal data was collected on Brazilian territory.

In addition to the LGPD, other sectorial laws on privacy and data protection may apply in specific circumstances, including, but not limited, to the following:

• The Wiretap Act (Law 9,296/1996) establishes that interception of communications can only occur by court order on request by police authorities and the Public Prosecutor Office for purposes of criminal investigation proceedings;
• The Consumer Protection Code (Law 8,078/1990) is applicable whenever a consumer relationship is established between an individual (or corporate entity, in certain circumstances) and a service provider or a product manufacturer. The privacy of consumer relations and handling of databases are regulated by this statute;
• The Telecommunications Act (Law 9,472/1997) grants privacy right to consumers in relation to the telecommunications services;
• The Bank Secrecy Act (Complementary Law 105/2001) obliges financial institutions to hold financial data of individuals and entities in secrecy, except under judicial order issued for purposes of investigation of any illegal acts or its use in criminal proceedings;
• The Brazilian Civil Code (Law 10,406/2002) acknowledges and reinforces the principle that privacy is inherent to an individual’s personality and dignity; 
• The Good Payers Database Act (Law 12,414/2011) permits databases of positive credit information (information on the fulfilment of credit obligations) but prohibits the register of excessive information (personal data that is not necessary for analysing the credit risk) and sensitive data; and
• The Internet Act (Law 12,965/2014) applies only to personal data collected through the internet, establishing other principles and rules with respect to the privacy and protection of internet users’ personal and behavioural data. Some of the user rights and guarantees assured by the Internet Act are the inviolability of privacy and intimacy in connection with communications over the internet or those stored privately.  The only lawful grounds to process data subject to the Internet Act is the data subject’s informed, free and expressed consent.

Last verified on Thursday 6th December 2018

Brazil

With the enactment of the LGPD, organisations (ie, both controllers and processors) will be required to adopt security measures, both technical and organisational, suitable to protect personal data from unauthorised access and accidental or illegal destruction, loss, change, communication, or any other form of inappropriate or illegal processing. Other cybersecurity requirements imposed by sectorial laws may also apply.

Last verified on Thursday 6th December 2018

Brazil

The LGPD defines personal data as any information related to an identified or identifiable individual. Accordingly, it applies to data related to individuals, and not legal entities.

Last verified on Thursday 6th December 2018

Brazil

The LGPD defines sensitive data as "personal data relating to racial or ethnic origin, religious beliefs, public opinions, membership in unions or organisations of a religious, philosophical or political nature, health or medical history, sexual orientation, and genetic or biometric records when associated with an individual". Under the LGPD, the processing of sensitive data shall be justified under specific lawful basis applicable to sensitive data, which are more stringent than those applicable to personal data.

Last verified on Thursday 6th December 2018

Brazil

The LGPD defines the following 10 principles that any organisation processing personal data shall observed:

• Purpose: The processing must be performed for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes;
• Adequacy: The processing must be compatible with the purposes that the data subject was informed of, according to the processing's context;
• Necessity: The processing must be limited to the minimum necessary for fulfilling its purposes, using pertinent, proportional, and non-excessive data in relation to the processing’s purpose(s).
• Free Access: Data subjects must be guaranteed the ability to easily and free of charge query the means and duration of processing, as well as the integrity of their personal data;
• Data Quality: Data subjects, must be guaranteed of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the processing’s purpose.
• Transparency: Data subjects must be guaranteed clear, precise, and easily-accessible information regarding the processing and the respective processing agents, considering commercial and industrial secrecy;
• Security: The processing must use technical and administrative measures suitable to protect personal data from unauthorised access and accidental or illicit destruction, loss, change, communication, or dissemination events;
• Prevention: Measures must be adopted to prevent the occurrence of damage as a result of the personal data processing.
• Non-discrimination: Processing is not allowed for illegal or abusive discriminatory purposes; .
• Liability and Accountability: The processing agent must demonstrate that it has adopted effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures.

In question 13, we elaborate on the limitations and restrictions concerning data processing under the LGPD.

Last verified on Thursday 6th December 2018

Brazil

Yes. In addition to the rules imposed by the LGPD, there are certain sectorial laws on privacy and data protection, as detailed below:

• Information handled by the government: The Information Access Act (Law No. 12,527/2011) governs the collection, use and processing of data by Federal authorities. It establishes rules and procedures by which citizens can request details of the information collected by the government;
• Banking secrecy: The Bank Secrecy Act (Complementary Law 105/2001) provides that financial institutions, such as banks, credit card administrators and the stock exchange must maintain strict confidentiality of financial transactions and financial information of their clients. The exchange of data between financial institutions for credit profiling and risk management may be allowed in specific circumstances. Specific and detailed cybersecurity requirements are imposed on financial institutions and payment companies, including specific limitations to contract data processing and cloud services (Central Bank Resolution 4,658/2018 and Circular 3,909/2018).
• Health: The Medical Ethical Conduct Code (Federal Council of Medicine, Resolution No. 2.217/2018) provides for certain rules on the protection of patients’ information and medical records. A specific resolution issued by the Federal Council of Medicine governs the use of computer systems for storage, handling and retention of such data, authorising the replacement of paper with electronically stored information.
• Telephone or radio communications: The confidentiality of telephone and computer communications is protected under the Wiretap Act (Law No. 9,296/96) and the Telecommunications Act (Law No. 9,472/97). The access to and interception of telephone and telematics communications may only occur under the authority of a valid court order in criminal investigation proceedings. Pursuant to the Telecommunications Act, the use of clients’ information can only be made for delivering telecommunication services.
• Employees: Employees’ data shall be processed in accordance with the LGPD. Employee information may be used by the employer to manage the employment relationship. Provided that other lawful basis is available (eg, performance of contract or compliance with legal obligation, please see question 15), consent is not required for processing employee’s personal data, even in case of sensitive data. In this case, information may transferred to other affiliate entities for certain specific purpose (for use by a centralised back office, HR-related activities, etc), provided that the requirements of international transfer are observed (see question 17). Generally, video and electronic surveillance are permitted, provided that the employees are informed in advance about all monitoring activities performed by the employer. Certain limitations apply to the monitoring of employee’s personal devices.
• Exercise of profession: There are many federal statutes in Brazil that cover the legal profession privilege, such as attorney-client privilege.
• Processing personal data in the internet: Under the Internet Act, internet connection providers (ie, those that offer telecommunications connectivity for internet access) cannot monitor or store any information concerning the behaviour of the user. Internet connection providers are required to retain connection logs for a minimum period of 12 months. Connection logs must include the date, time and duration of an internet connection made by a certain IP address allocated by the connection provider to the user. Internet application providers (ie, those that offer any kind of functionality to their users through the internet, such as social networks, e-commerce websites, etc) shall store access logs for at least six months. In such cases, access logs must include the date, time and duration of connections to the internet application. Under the Internet Act, free, express and informed consent is always required for collecting data online. With the enactment of the LGPD, other lawful may be available for processing personal data (see question 15), as the new statute shall also apply to data collected online.  

Last verified on Thursday 6th December 2018

Brazil

Yes. The Child and Adolescent Act (Law No. 8,069/1990) stipulates that the offer, exchange, delivery, transmission, distribution, publication or disclosure of photographs, videos or other materials containing explicit sex scenes or child pornography is a criminal activity, which will be subject to a penalty of up to eight years of imprisonment. The LGPD adds additional protection to child’s personal data. Among other provisions, it sets forth that information should be provided in a simple, clear and accessible manner to the child and the processing agent shall use reasonable efforts to verify that the consent was given by the minor’s legal representative.

Last verified on Thursday 6th December 2018

Brazil

Generally, violation of privacy rights gives rise to compensation for moral and direct damage. Non-compliance with the provisions of the LGPD may result in warning, mandatory disclosure of the data incident, deletion or blocking of personal data, and fines up to 2 per cent of the company’s economic group gross revenues in Brazil in the preceding fiscal year, excluding taxes, but limited to a total of 50 million reais per violation.

The Consumer Code imposes criminal liability (imprisonment from six months to one year) for certain conducts that may qualify as crime against consumers, although imposing criminal liability for violation of cybersecurity and data protection is extremely rare. Generally, the Data Protection Officer (see item 19) or other legal representatives have no criminal liability for violation of data protection and cybersecurity laws.

Last verified on Thursday 6th December 2018

Brazil

The bill of law creating the LGPD provided for the creation of an independent data protection agency responsible for supervising and enforcing data protection laws in Brazil. However, owing to a flaw in the legislative process, the president vetoed the creation of such agency. Under Brazil Federal Constitution, the creation of independent regulatory agencies and public functions can only be made by means of a bill submitted to Congress by the President, which did not happen on the bill ultimately approved. Nevertheless, it is expected that a new agency is created before the LGPD come into force in February 2020.

Investigations may be initiated by the Public Prosecutor’s Office, consumer protection authorities and the police. Administrative proceedings may be either civil or criminal, and may lead to the filling of civil or criminal public lawsuits, as the case may be.

Last verified on Thursday 6th December 2018

Brazil

No, there is no specific requirement regarding notification or registration of databases or personal data before processing, collecting and transferring such information. Specific restrictions may apply to international transfer of data, as detailed in question 17.

Last verified on Thursday 6th December 2018

Brazil

The LGPD defines two categories of data handlers: the controllers and processors (jointly referred to as processing agents). Controllers are the “natural persons or legal entities, public or private, which is responsible for the decisions concerning the processing of personal data”. Processors are the “natural persons or legal entities, public or private, which performs the processing of personal data on behalf of the controller. Generally, processing agents shall observe the data processing principles set forth in the LGPD and adopt technical and organisational measures to protect personal data from data incidents.

According to the LGPD, Controllers must comply with a significant number of new requirements, which include:

• justify the processing personal data and sensitive data in one or more lawful basis available in the LGPD (see question 15); comply with the data subjects’ rights (see question 16);
• report data breaches and security incidents (see question 20);
• perform privacy impact assessments, when required by the data protection authority; and
• appoint a data protection officer (see question 19).

Data controllers shall make available to the data subject an easily accessible and detailed privacy notice with information regarding the data processing activities that are carried out. Such privacy notice shall contain clear, adequate and ostensive information, including, but not limited to:

• specific purposes of the data processing; form and duration of the data processing;
• identification and contact information of the controller;
• information regarding the shared use of personal data by the controller, to whom and the purpose of why data is shared;
• responsibilities of the processing agents; and
• rights of the data subjects.

Last verified on Thursday 6th December 2018

Brazil

Processors may process personal data in accordance with the Controller’s lawful instructions. This means saying that the processors shall ensure that whichever processing instructions are received comply with applicable laws. Processors shall also process data in accordance with the LGPD.  If processors fail to comply with applicable law or to controllers’ lawful instructions, they may be considered co-controllers for the purposes of pursuing liability. Therefore, data transfer agreement between controller and processor shall adequately allocate liabilities in case of any violation of law or breach of contractual duties. 

Last verified on Thursday 6th December 2018

Brazil

The consent of the data subjects is just one of the lawful basis available under the LGPD. The LGPD establishes 10 lawful basis that may justify the processing personal data, as listed below: 

• prior, informed, free and unequivocal consent of the data subject;
• compliance with legal or regulatory obligation;
• performance of contracts;
• regular exercise of rights in court, administrative, or arbitration proceedings;
• legitimate interest of the controller or third party, except when the data subject’s privacy rights should take precedence;
• by the government, for the processing and shared use of data deemed as necessary for the execution of public policies outlined in laws and regulations;
• performance of studies by research organisations, ensuring, whenever possible, the anonymisation of the personal data;
• when necessary for the protection of life or the physical safety of the data subject or third parties;
• for the protection of health, in procedures conducted by health care professionals or sanitary authorities; and
• for the protection of credit.

The LGDP also establishes specific lawful bases for processing sensitive data, which include:

• prior, informed, free, unequivocal, specific consent of the data subject;
• compliance with legal or regulatory obligation;
• performance of contracts;
• by the government, for the processing and shared use of data deemed as necessary for the execution of public policies outlined in laws and regulations;
• when necessary for the protection of life or physical safety of the data subject or third party;
• to perform studies by research organisations, ensuring, whenever possible, the anonymisation of the personal data;
• when necessary for the protection of life or the physical safety of the data subject or third parties;
• for the protection of health, in procedures conducted by healthcare professionals or sanitary authorities; and
• when necessary to guarantee the prevention of fraud and safety of the data subject, in the process of identification and authentication in registries of electronic systems.

Last verified on Thursday 6th December 2018

Brazil

The LGPD establishes some rights to data subjects over their own information:

• information about the existence of their personal data processing with his or her personal data;
• access to the data;
• incomplete, inaccurate, or outdated data;
• blocking, or elimination of data that is unnecessary, excessive, or processed in a way that does not complywith the provisions of the LGPD;
• data portability;
• deletion of data processed with the data subject’s consent, except in the cases that the law authorises the data's storage;
• information on data sharing carried out by controllers information on the possibility of not providing consent and the respective consequences; and
• consent withdrawal.

Last verified on Thursday 6th December 2018

Brazil

The LGPD allows international data transfers:

• to countries with an adequate level of protection, as defined by the data protection authority (to be created);
• through the use of standard contractual clauses, binding corporate rules, seals, certificates and codes of conduct approved by data protection authority (to be created);
• when authorised by the national data protection authority;
• with the specific consent of the data subject;
• to comply with a legal or regulatory obligation;
• when necessary for the performance of a contract;
• for the regular exercise of rights in judicial, administrative or arbitral proceedings;
• for the protection of life and physical safety of the data subject or third party;
• when necessary for international legal cooperation between intelligence, investigation and prosecution public bodies, in accordance with the instruments of international law;
• based in a commitment made in an international cooperation agreement; and
• when necessary for the execution of public policy or compliance with the legal attribution of the public service.

Last verified on Thursday 6th December 2018

Brazil

As previously mentioned in answer 4, controllers and processors are required to adopt security measures, both technical and organisational, suitable to protect personal data from unauthorised access and accidental or illegal destruction, loss, change, communication, or any other form of inappropriate or illegal processing. Such measures shall be adopted since the creation of any new technology or product, which will require organisations to implement a privacy by design approach. 

Other sectorial laws, such as those requirements imposed on financial institutions by Resolution 4,658/2018 of the Brazilian Central Bank, may impose specific cybersecurity requirements on organisations. Likewise, the Consumer Protection Code also provides that companies shall take all reasonable measures to offer safe and free-of-defect products and services. Therefore, if the organisation does not implement appropriate security measures (normally based in industry-standards or best practices) a product or service may be deemed defective and trigger liabilities under such statute as well.

Last verified on Thursday 6th December 2018

Brazil

The LGPD requires controllers to appoint a Data Protection Officer (DPO), who shall be responsible for:

• receiving complaints and notifications from data subjects, providing clarifications and adopting necessary measures in accordance with national and international data protection regulations inside the entity;
• receiving notifications from the data protection authority and adopt all the necessary measures;
• guiding employees and contracted parties about practices to be adopted in relation to the protection of personal data; and
• perform other activities determined by the controller or established in supplementary or sectorial regulations.

The data protection authority may establish complementary rules regarding the definition and roles of the DPO, and even discharge certain controllers from this obligation. Generally, the DPO does not have criminal liability for his or her acts and omissions.

Last verified on Thursday 6th December 2018

Brazil

The LGPD provides that data security breaches resulting in material risk or harm to individuals must be reported to the data protection authority within a reasonable time and, where required by such authority, to the affected data subjects. Some specific information are required to be included in the notification to the authority:

• a description of the data and individuals affected;
• the risks related to the data incident;
• the reasons why the notification to the data protection authority has been delayed, if applicable;
• the technical and security measures taken to protect the data; and
• the measures that were or will be taken to revert or mitigate the effects.

Last verified on Thursday 6th December 2018

Brazil

No. The use of cookies and/or other tracking technologies are generally regulated by the LGPD.

Last verified on Thursday 6th December 2018

Brazil

Brazil does not have any federal law, regulation or guidance specifically applicable to fintechs on data protection and cybersecurity matters. However, they might be subject to specific rules applicable to financial institutions and payment services providers. There are specific privacy and data protection rules applicable to banks, brokerage firms, credit card companies and other institutions involved in financial services under the Banking Secrecy Act, which provides for the confidentiality of financial transactions and limiting how information may be shared. Companies dealing with such information shall implement robust structures to ensure that information secrecy is preserved.

In addition, financial and payment institutions shall comply with specific requirements imposed by Brazilian Central Bank, including, but not limited to those set forth in (i) Resolution No. 4,658, which determines that financial institutions shall implement and maintain a cybersecurity policy, an incident plan and observe certain requirements for hiring data processing, storage and cloud service providers; (ii) Resolution 4,474, which requires financial institutions to adopt procedures and technologies in the digitalisation of documents and in the maintenance of scanned documents; (iii) Resolution No. 4,480/2016, which regulates the opening and closing of bank accounts by electronic means. Financial institutions may become associate self-regulatory associations, such as Brazilian Financial and Capital Markets Association (ANBIMA) and, by doing so, must comply with self-regulatory rules, including those related to cybersecurity.

If any fintech would dedicate to matters for which a licence from the Central Bank is required, then all the laws and regulations above shall apply. All fintechs must comply with the LGPD, regardless of being licensed by the Central Bank.  

Last verified on Thursday 6th December 2018

Brazil

The LGPD requires controllers and processors to adopt security measures since the creation of any new technology or product, which require those organisations to implement a privacy by design approach.

Although there is no express privacy by default requirement in the LGPD, a privacy by default approach will be recommended to comply with the data protection principles set forth in the LGPD.

The data protection authority will establish the circumstances where a privacy impact assessment (PIA) will be required. The PIA is likely to be required in the processing of sensitive data and when relying in the legitimate interest as the lawful basis for processing personal data. The LGPD expressly set forth that the PIA shall contain:

• description of the data collected;
• methodology used for the collection of data;
• methodology used for guaranteeing the security of information; and
• analysis of the controller in relation to the measures, safeguards and mechanisms adopted for the mitigation of risks.

Last verified on Thursday 6th December 2018

Brazil

Marketing campaigns by email are likely to be deemed legitimate under the opt-in or ‘soft opt-in’ system, but shall always allow the data subject to opt out from receiving such messages. The telecommunications regulators determined that mobile carriers are only allowed to send promotional messages to their users who have expressly accepted receiving them.

Last verified on Thursday 6th December 2018

Brazil

Brazil has not enacted a specific law to regulate cloud services. Notwithstanding, there are several rules that may affect the provision of cloud services, such as those related to the storage of digital information, cross-border data transfers, outsourcing of IT infrastructure, cybersecurity, among others. The LGPD applies irrespective of the means used for processing personal data. Specifically for financial institutions, the Brazilian Central Bank issued Resolution No. 4,658 that sets forth specific requirement for hiring cloud service providers.

Last verified on Thursday 6th December 2018

Brazil

Data protection laws shall be complied by both private entities and the government.

The LGPD specifically establishes some exceptions where it does not apply, such as the data processing activities performed exclusively for public safety, national defence, state security and activities related to investigations and suppressing criminal offences.

Last verified on Thursday 6th December 2018

Brazil

Yes, such right is available under the LGPD, the Information Access Act (Law No. 12,527/2011), and the constitutional right of habeas data. According to the LGPD, access to the information shall be provided, electronically or in hard copy (at the discretion of the data subject), within 15 days of the request.

Last verified on Thursday 6th December 2018

Brazil

The LGPD encourages the promotion of best practices and codes of conduct by different industries.  

Last verified on Thursday 6th December 2018