LGPD – General Data Protection Law (Law 13,709/18)
Definition of Basic Concepts of the LGPD
The General Data Protection Law (LGPD), Law No. 13,709/18, deals with the processing and protection of personal data. Its purpose is to guarantee the fundamental rights of freedom and privacy, establishing rules for the collection, storage, processing and sharing of personal data.
The scope of the LGPD extends to all sectors of the economy, both public and private, aiming to protect the fundamental rights of freedom, privacy and the free development of a natural person's personality.
It applies to all companies, regardless of the sector (public or private), that deal with personal data, whether in physical or digital format, inside or outside the company, on an internal server or in the cloud.
Personal data protection standards aim to protect the holder of personal data, establishing specific rules for the collection, processing and storage of this information.
Areas Affected by LGPD:
- Services provision
- Digital Business
- Human Resources
- Information Technology (IT)
All operations carried out with personal data are considered Processing of Personal Data, including:
- Collect
- Production
- Front desk
- Classification
- Use
- Access
- reproduction
- Streaming
- Distribution
- Processing
- Archiving
- Storage
- Elimination
- Assessment
- Information control
- Modification
- Communication
- Transfer
- Diffusion
- Extraction
Personal Data Processing Hypotheses:
- Consent
- Compliance with legal obligation
- Execution of a contract, among others.
Important Definitions:
- Personal data: Information related to identified or identifiable natural persons, customers and suppliers.
- Sensitive Personal Data: Data related to ethnicity, religion, politics, health, sexual orientation of an identified or identifiable natural person.
- Personal Data Holder: Natural person to whom the data refers.
- Personal Data Controller: Entity that holds the data.
Data Subject Rights:
- Access to personal data
- Data correction
- Eliminating unnecessary data
- Revocation of consent
Other Important Terms:
- Consent: Clear statement by which the holder agrees to the existence of their personal data in the possession of the controller, for a specific purpose.
- National Data Protection Authority (ANPD): Brazilian federal body responsible for the protection of personal data and privacy, with oversight duties under the LGPD.
- In charge: Person appointed by the Controller, responsible for communication between the controller, the data subjects and the ANPD, in addition to supervising the processing of data.
Company Adequacy to LGPD:
- Creation of a Working Group: Formation of a multidisciplinary group to prepare the company to comply with LGPD obligations.
- Designation of Person in Charge: Appointment of a person to perform the duties of supervisor.
- Diagnosis: Survey of information about the life cycle of personal data and identification of processing flaws.
- Preparation of Action Plans: Preparation of plans based on the results of the diagnosis for the internal governance structure, formation of a privacy committee, internal documents and data processing manual.
- Implementation of Action Plans: Execution of the plans drawn up in the previous stage.
- Training: Training of all people involved with the processing of personal data from customers and suppliers.