LGPD - Introduction

LGPD - Você já deve saber o que é a lei!

Here it is already possible to perceive some limit to the reach of the LGPD. It refers to the natural person, that is, data from legal entities are not the object of protection.

There is also a category of data with special treatment, denominated by law by SENSITIVE PERSONAL DATA, which are those listed in art.5, II, among them ethnicity, religion, political opinion, health data, biometric, etc., which I will deal with in the next articles. LGPD is, therefore, a law prepared with the objective of protecting the personal data of natural persons and for that, it brings a series of rules that must be complied with by companies or even natural persons that perform DATA TREATMENT.

The law conceptualizes the treatment of data in the same article 5, in item X and there lists a series of conducts, among them: collection, production, reception, classification, transmission, storage, modification, transfer, diffusion, extraction, etc.

Any company that handles data, whether from its customers or even employees, must meet the requirements of the law. This implies complex changes in procedures that involve several areas of its structure, in particular marketing, HR, compliance, IT and the legal.

Once again the rule is "Tone of the Top", or in Portuguese, "the example comes from above". I say again, because this is already one of the pillars for the effectiveness of compliance programs, and that here also needs to be used.

The protection of rights such as freedom and privacy of the holders of personal data, that is, all of us, must be a concern of those who run the company and must be transmitted to everyone who participates, this awareness must be developed as a new culture . New culture because the concept of what it is and the importance of information has yet to be transmitted to most of us.

As I said before, few know the importance of our personal data, even less know the means by which they are collected and worse, almost nobody knows how they are used / treated (I have doubts if anyone really knows). Hence the importance of the commitment of the entire team, from all areas of the company, which together need to be aware of possible non-conformities.

The law defines that "CONTROLADOR"/CONTROLLER is the natural or legal person who is responsible for deciding on the processing of data (art.5, VI), "OPERADOR"/PROCESSOR is the one who treats the data in order and on behalf of the controller (art.5, VII) and designates these two as TREATMENT AGENTS (art.5º, IX).

The treatment agents are therefore those who will collect, store and use our personal data. They are, therefore, responsible for complying with LGPD regulations and guaranteeing privacy, freedom and the free development of the personality of the natural person.

These processing agents are jointly and severally liable for any damages resulting from data processing (art.42, §1º) and the same article of the law provides that there is the possibility of reversing the burden of proof by the judge.

The law establishes ARCO, Access, Rectification, Cancellation and Objection of treatment rights. The list in Article 18 defines situations and behaviors that may be required of treatment agents, that is, anyone whose personal data has been collected by a company may require: confirmation of the existence of the treatment, access and correction of the data , portability, elimination, information for whom and for what purpose they are shared, etc.

If not met, the data subject can file individual or collective actions and sanctions range from blocking the processing of data to the payment of a 2% fine on billing (art.52).

There is also the possibility of criminal liability, as the law provides in art.52, §2º that the sanctions provided for therein do not replace the application of administrative, civil or criminal sanctions defined in Law No. 8,078, of September 11, 1990, and in specific legislation.

It is seen that the condominium in our example at the beginning of the text will have to take a series of precautions before asking for any type of personal data from its visitors. Here is an important initial reflection: can the size of the controller influence the level of compliance with the law? Is it reasonable to require a small business or even a professional to meet all your requirements?

In the next articles, I will talk about these requirements, mainly the requirement for the existence of a "ENCARREGADO" / DPO - Data Protection Officer (art.5, VIII), who is the person who should be the communication channel between the controller, the data holders and the ANPD (Autoridade Nacional de Data Protection). I will also talk about the GDPR - General Data Protection Regulation, applied in the European Union and which was the basis for the creation of the LGPD and I will highlight some of the most controversial points that we will have to face already in August 2020.

[i] OPICE BLUM, Renato et al. LGPD - General Data Protection Law. Revista dos Tribunais, 2019.

Author:

Walter B. Duque - Lawyer, partner at AWD (www.awdconsultoria.com.br), with multidisciplinary training from EMERJ - School of Magistarture of the State of Rio de Janeiro, specialist in digital law, certified by the Opice Blum Academy in LGPD, Exin Privacy & Data Protection Practitioner, Exin Privacy & Data Protection Foundation, Exin Information Security Management Foundation ISO / IEC 270001 by AdaptNow.

linkedin.com/in/walter-duque-010061b7