LGPD - Introduction

LGPD - Você já deve saber o que é a lei!

Vivemos em uma sociedade em que a informação é cada vez mais útil e valorizada. Os meios de coletar todos os tipos de informações estão se multiplicando ao nosso redor sem que percebamos.

Acessar um site, postar nas redes sociais, escolher um filme no Netflix ou definir um caminho no Waze são exemplos de situações em que compartilhamos nossas informações pessoais, ou dados pessoais, como são chamados por lei.

Como Renato Opice Blum e Viviane Nóbrega Maldonado bem conceituaram na obra LGPD - Lei Geral de Proteção de Dados [i], a informação que antes era um insumo básico, tornou-se uma commodity de grande valor comercial. Coletar e negociar essas informações é o grande lance do início do século, quando empresas milionárias surgem com um clique do mouse.

No meu artigo anterior (https://monitordigital.com.br/inteligencia-artificial-ea-advocacia-brasileira-parte-1-2 e https://monitordigital.com.br/inteligencia-artificial-ea-advocacia-brasileira -parte 2-2), falei um pouco sobre inteligência artificial, Big Data, a revolução que já começou e que afetará drasticamente nossa vida pessoal e profissional em um futuro próximo.

Well, the basis of all this transformation is precisely the information and mainly yours, mine, our information.

Well, the basis of all this transformation is precisely the information and mainly yours, mine, our information.

So far we have little concern for the information we provide. Most people are concerned only with the bank password or e-mail, but have not yet realized that every day he shares with several companies several other very important data, such as his fingerprint.

When you deliver, at the entrance of the doctor's building that eventually visits your fingerprint, you are sharing the same fingerprint that is used to access your bank account at an ATM or to unlock the door of your home or office that you already have. use an electronic lock.

This fingerprint in turn is now in a database that links it to your registration at the building entrance, where you were also asked for a photo and an identity document, that is, in a simple ticket to a "people" building ( several and indeterminable) already know your name, ID, CPF, have your photo and even your fingerprint!

At this point, you, like anyone, must have realized how vulnerable we are in this connected world. I believe that you already feel a little more insecure than moments before reading this article and a lot more insecure than if you had just given the bank password, right?

Yeah. This brief example served to give an idea of ​​how ignorant we are in this area, how our data is collected and the degree of exposure to which we are subjected without any legal protection.

É nesse cenário que surge a Lei Geral de Proteção de Dados, Lei 13.709 / 18, cujo objetivo principal é a proteção de dados pessoais. Promulgada em 14/08/2018, encontra-se em período de vacatio legis e entrará em vigor em agosto de 2020.

DADOS PESSOAIS, conforme define a lei no artigo 5º, I é "Informação relativa à pessoa singular identificada ou identificável".

Here it is already possible to perceive some limit to the reach of the LGPD. It refers to the natural person, that is, data from legal entities are not the object of protection.

There is also a category of data with special treatment, denominated by law by SENSITIVE PERSONAL DATA, which are those listed in art.5, II, among them ethnicity, religion, political opinion, health data, biometric, etc., which I will deal with in the next articles. LGPD is, therefore, a law prepared with the objective of protecting the personal data of natural persons and for that, it brings a series of rules that must be complied with by companies or even natural persons that perform DATA TREATMENT.

The law conceptualizes the treatment of data in the same article 5, in item X and there lists a series of conducts, among them: collection, production, reception, classification, transmission, storage, modification, transfer, diffusion, extraction, etc.

Any company that handles data, whether from its customers or even employees, must meet the requirements of the law. This implies complex changes in procedures that involve several areas of its structure, in particular marketing, HR, compliance, IT and the legal.

Once again the rule is "Tone of the Top", or in Portuguese, "the example comes from above". I say again, because this is already one of the pillars for the effectiveness of compliance programs, and that here also needs to be used.

The protection of rights such as freedom and privacy of the holders of personal data, that is, all of us, must be a concern of those who run the company and must be transmitted to everyone who participates, this awareness must be developed as a new culture . New culture because the concept of what it is and the importance of information has yet to be transmitted to most of us.

As I said before, few know the importance of our personal data, even less know the means by which they are collected and worse, almost nobody knows how they are used / treated (I have doubts if anyone really knows). Hence the importance of the commitment of the entire team, from all areas of the company, which together need to be aware of possible non-conformities.

The law defines that "CONTROLADOR"/CONTROLLER is the natural or legal person who is responsible for deciding on the processing of data (art.5, VI), "OPERADOR"/PROCESSOR is the one who treats the data in order and on behalf of the controller (art.5, VII) and designates these two as TREATMENT AGENTS (art.5º, IX).

The treatment agents are therefore those who will collect, store and use our personal data. They are, therefore, responsible for complying with LGPD regulations and guaranteeing privacy, freedom and the free development of the personality of the natural person.

These processing agents are jointly and severally liable for any damages resulting from data processing (art.42, §1º) and the same article of the law provides that there is the possibility of reversing the burden of proof by the judge.

The law establishes ARCO, Access, Rectification, Cancellation and Objection of treatment rights. The list in Article 18 defines situations and behaviors that may be required of treatment agents, that is, anyone whose personal data has been collected by a company may require: confirmation of the existence of the treatment, access and correction of the data , portability, elimination, information for whom and for what purpose they are shared, etc.

If not met, the data subject can file individual or collective actions and sanctions range from blocking the processing of data to the payment of a 2% fine on billing (art.52).

There is also the possibility of criminal liability, as the law provides in art.52, §2º that the sanctions provided for therein do not replace the application of administrative, civil or criminal sanctions defined in Law No. 8,078, of September 11, 1990, and in specific legislation.

It is seen that the condominium in our example at the beginning of the text will have to take a series of precautions before asking for any type of personal data from its visitors. Here is an important initial reflection: can the size of the controller influence the level of compliance with the law? Is it reasonable to require a small business or even a professional to meet all your requirements?

In the next articles, I will talk about these requirements, mainly the requirement for the existence of a "ENCARREGADO" / DPO - Data Protection Officer (art.5, VIII), who is the person who should be the communication channel between the controller, the data holders and the ANPD (Autoridade Nacional de Data Protection). I will also talk about the GDPR - General Data Protection Regulation, applied in the European Union and which was the basis for the creation of the LGPD and I will highlight some of the most controversial points that we will have to face already in August 2020.

[i] OPICE BLUM, Renato et al. LGPD - General Data Protection Law. Revista dos Tribunais, 2019.


Walter B. Duque - Lawyer, partner at AWD (www.awdconsultoria.com.br), with multidisciplinary training from EMERJ - School of Magistarture of the State of Rio de Janeiro, specialist in digital law, certified by the Opice Blum Academy in LGPD, Exin Privacy & Data Protection Practitioner, Exin Privacy & Data Protection Foundation, Exin Information Security Management Foundation ISO / IEC 270001 by AdaptNow.