The final version of the General Data Protection Law (LGPD), was ratified by the Brazilian Federal Senate in May 2019 and signed into law by President Jair Bolsanaro in July 2019.
When the LGPD was first passed by the Brazilian Senate in August 2018, the then President, Michel Temer, vetoed the law’s provision of setting up a Federal Data Protection Authority to oversee and implement this regulation on constitutional grounds.
However, the LGPD is now scheduled to come into effect on August 16, 2020.
Some of the key changes incorporated into the final version of the LGPD include:
- The establishment of the National Data Protection Authority (ANDP)
- A review of automated decisions
- The handling of personal health information
- Administrative sanctions
- The role of the Data Protection Officer
The Establishment of the National Data Protection Authority
In the final version of the LGPD sanctioned by Brazilian leader, Jair Bolsanaro, the National Data Protection Authority will now be anchored in the Office of the President.
However, the law provides for the enactment of a change within two years of the LGPD being enforced. This aspect is aimed at giving the ANDP more autonomy.
The primary duties of the ANDP include:
- Ensuring compliance with the LGPD
- Receipt and resolution of data subjects’ complaints
- Perform audits
- Provide support services to businesses in terms of understanding and preparing for various circumstances that will emerge when the LGPD comes into effect
A Review of Automated Decisions
According to the draft version of the LGPD, in case a data subject needed to seek a re-examination of any decision reached exclusively through an automated manner, it was within their rights to ask a company to use a human agent to carry out the assessment.
However, the final version of the LGDP eliminates the review of automated decisions by a human agent.
This provision is different from Article 22 of the GDPR which grants consumers the privilege of getting human intervention in the assessment of automated decisions.
The Management of Personal Health Information
The final version of the LGPD not only establishes the protection of health data but also covers the procedures used by health service providers and professionals as well as sanitary agencies.
For this reason, the LGPD prohibits the sharing of specific types of sensitive personal information, except if;
- the information is crucial to the delivery of healthcare or pharmaceutical assistance
- It is beneficial to the welfare of the data subject
- It is not intended for private health insurance to review contract exposures, as well as adding or removing beneficiaries
- It is for the purpose of either data portability petitioned by the data subject or monetary transactions resulting from the receipt of healthcare services
The Role of the Data Protection Officer
The initial conception of the LGPD provided for the appointment of a Data Protection Officer (DPO) with a legal and regulatory background in data protection. Essentially, a DPO was required to have extensive knowledge of both LGPD and the EU’s General Data Protection Regulation (GDPR).
However, President Bolsanaro amended this provision by arguing that this requirement would amount to an overly rigorous qualification, in addition to being against public welfare, and a violation of fundamental rights.
The bill signed into law also provides for the appointment of the DPO by the data controller, which is different from the procedure employed in appointing Data Protection Officers under the GDPR.
Another crucial update is connected to the fact that the requirement to appoint a Data Protection Officer under the LGPD is now applicable to both controllers and processors. Primarily, DPO’s are expected to act as the link between data subjects, businesses, and the ANPD.
Although the regulatory penalties remain unchanged in the final version of the LGPD, it is still important to highlight them.
LGPD’s administrative sanctions include;
- Caution with a pointer for the adoption of corrective measures
- A fine of up to 2% of the previous year’s sales revenue limited to 50 million reais for every violation
- Daily fine limited to the aforementioned value
- Disclosure of the violation after due investigative processes and its occurrence verified
- Erasure of the personal information related to the violation in question
Essentially, the LGPD provides that the ANPD my fine non-compliant companies with temporary, and in some cases, permanent suspension from data processing activities.
Our detailed LGPD summary gives you a simplified, yet a comprehensive breakdown of the key provisions under Brazil’s data protection regulation.
For personalized LGPD compliance support, book a call with us today to speak with a data privacy and security expert.
Download your free LGPD e-book and have it delivered directly into your inbox.