The General Law of Data Protection (Law 13.709/2018, the Brazilian version of the European GDPR – General Data Protection Regulation), or LGPD, that provides on the processing of personal data, including in digital media, by natural person or legal entity of public or private law, with the aim of protecting the fundamental rights of freedom and privacy and the free development of the natural person’s personality, which has already been enacted, will come into force in August 2020.
It is any information related to a natural, living, identified or identifiable person. Include also sensitive personal data, that is the set of distinct information that can lead to the identification of a particular person.
The processing of personal data, as described in the law, considers all operations carried out with personal data, from the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction, in summary, data life cycle.
This law applies to any data processing operation, carried out by a natural person or by a legal person under public or private law, regardless of the method, the country of its headquarters or the country where the data are located.
The ANPD is the National Data Protection Authority is the federal public administration body, with direct subordination to the Presidency of the Republic, responsible for ensuring, preparing guidelines, implementing and monitoring compliance with the LGPD.
A fine of up to 2% (two percent) of the turnover of the private legal entity, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited in total to R$ 50,000,000.00 (fifty million reais) per infraction;
Publication of the infraction after duly ascertained and confirmed its occurrence;
Blocking the personal data to which the infringement relates until it is regularized;
Deletion of the personal data to which the offence relates.
Given the complexity and vastness of personal data that companies have, the LGPD diagnosis is fundamental and indispensable in pointing out how personal data is being treated within the company and how it should then be treated to be in compliance with the LGPD.