On August 14, 2018, the Brazilian General Data Protection Act (LGPD) – Statute #13,709 established general rules for the protection of every individual’s personal data – something that, until then, lacked safeguards and limits on third-party use.
The Act also established the Brazilian Data Protection Authority (ANPD), which, since then, in exercising its role of protecting personal data, prepared guidelines with the purpose of advising individuals and organizations to properly handle personal data; after all, the LGPD is not intended to regulate data of legal entities, for profit or otherwise.
And in this context, the guide titled “How to Protect Your Personal Data” was created in partnership with the National Consumer Secretariat (Senacon) and addressing the subject in a language accessible to any reader.
The guide begins by exemplifying situations in which an individual’s personal data may be processed on a day-to-day basis:
– When taking out a loan on a bank, data on your ability to pay are processed; |
– When interacting on a social network, personal data on your behavior is processed; |
– When participating in a company’s loyalty program, data about your consumption may be collected; |
– Personal data, including registration and health data, are processed for health treatment in hospitals. |
The guide then emphasizes the importance of data protection for citizens, the economy, and society in general, noting that the LGPD achieved rights provided for in the Brazilian Constitution of 1988 by complementing the protection provided by the Consumer Protection Code and the Brazilian Internet Bill of Rights. It also established a different regime for small businesses, such as micro-enterprises and startups.
When addressing the risks for consumers in illicit personal data processing, the guide lists a few cases that are rather unknown by the general population, such as:
- Monitoring behavior and restricting fundamental freedoms;
- Discrimination;
- Economic losses;
- Restricted access to goods and services;
- Violation of privacy;
- Identity frauds;
Continuing with its educational purpose, the guide also explains what personal data is, making LGPD’s definition clear: “any information related to the identified or identifiable natural person”. In practice, this means that any personal information that can be associated with a person, either to directly identify them or to associate this data with a context allowing for their identification – for example, using an email address, a cell phone number or an internet post – are considered personal data.
Therefore, the guide then lists the most common personal data of a data subject, that is, the natural person to whom the processed data relates, although this list is by no means exhaustive:
- Name and surname;
- Home address;
- Email address (if it has elements identifying the owner, such as first and last name);
- Gender;
- Date of birth;
- Number of official documents, such as General Registration, National Taxpayer’s Registry, and Social-Security Number;
- Geolocation data from a mobile phone;
- Personal phone number.
Below, the guide clarifies who are the personal data processing agents:
Controller | the processing agent responsible for making major decisions regarding personal data processing, as well as for defining its purpose and the essential elements of such processing. |
Processor | the processing agent acting on behalf of the controller, which must process data only in accordance with its instructions and in compliance with the law. |
In addition to these personal data processing agents, the LGPD also requires companies and public agencies to appoint a data protection officer to facilitate communication between processing agents, data subjects, and the ANPD.
And what is processing of personal data? Indeed, it is any operation carried therewith, such as production, retrieval, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, alteration, communication, transfer, disclosure or extraction. In addition, the LGPD set 10 cases in which personal data can be processed by a third party, by an individual, or by a legal entity from the public or private sector:
- When there is consent by the data subject;
- When the controller needs to process this data to comply with a legal or regulatory obligation;
- When the federal government executes public policies or in the performance of its institutional functions;
- For a research body to carry out studies;
- For the performance of contracts to which the data subject is a party, at the request of the data subject;
- For the exercise of rights in judicial, administrative, or arbitral proceedings;
- For the protection of the subject’s life and physical safety;
- For the protection of health in a procedure performed by health professionals, health services, or health authority;
- When necessary to meet the legitimate interests of the controller or a third party, except when fundamental rights and freedoms of the data subject that require personal data protection prevail; and
- For credit protection.
Following its mission of educating the reader, the guide then lists the principles guiding data processing and considered by the ANPD when analyzing any potential LGPD violation. The principles are as follows:
Purpose | the processing of personal data must have a specific, clear purpose and be informed to the data subject. Processing cannot be carried out for general purposes; |
Suitability | compatibility of the processing with the purposes informed to the data subject, according to the context of processing; |
Need | limitation of processing to the minimum necessary for achieving its purposes, covering data which are relevant, proportionate, and not excessive in relation to the purposes of data processing; |
Free Access | Data subjects are ensured facilitated and free access to information regarding the form and duration of processing, as well as on the completeness of their personal data; |
Data Quality | data subjects are ensured that the data is accurate, clear, relevant, and up to date, as required for the fulfillment of the purpose of its processing; |
Transparency | data subjects are ensured clear, precise, and easily accessible information on the processing and the respective processing agents, safeguarding commercial and industrial secrets; |
Safety | use of technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, modification, communication, or dissemination; |
Prevention | adoption of measures to prevent damages due to the personal data processing; |
Non-Discrimination | the processing cannot take place for illicit or abusive discriminatory purposes; |
Accountability and Liability | demonstration, by the agent, of the adoption of effective measures capable of proving compliance with the rules for the protection of personal data, including the effectiveness of such measures. |
From then on, the guide describes real-world situations, starting with a hypothetical purchase in which the store needs personal data to deliver a product, especially name, address, and phone number. If an invoice is required in addition to such data, the person’s National Taxpayer’s Registry is also needed.
If the person so wishes, the store needs to provide information regarding the processing of their personal data for said purposes and, if necessary, the sharing of their personal data by the store, thus having the right to know with whom and why – for example, with a carrier. The data must be stored in a secure environment and the person must be given the right to update it whenever necessary.
The guide then emphasizes the data subject’s rights over their personal data when held by third parties:
- Confirmation
- Free Access
- Correction
- Anonymization
- Blocking
- Exclusion
- Portability
- Elimination
- Revocation of Consent
- Request for Information
- Review
- Request for Explanations
- Not Being Charged for Exercising Rights
Following are guidelines on how public and private organizations should act when processing someone’s personal data:
- Ensuring that every personal data processing has a legal basis;
- Keeping records of data processing operations;
- Preparing an impact report on the personal data protection when the treatment may generate risks to the subject’s civil liberties and fundamental rights;
- Designing secure systems protecting data from its inception;
- Informing the data subject and the ANPD of personal data security breaches which may cause relevant risk or damage, with the appropriate containment or mitigation measures;
- Informing the data subject if there is any change in data collection purposes;
- Repairing damage caused as a result of personal data processing when in violation of legislation;
- Confirming the existence or providing access to personal data upon request by the subject;
- Disclosing the types of collected data;
- Describing the methodology used for data collection and sharing;
- Describing the methodology used to ensure information security;
- Permanently evaluating used safeguards and risk mitigation mechanisms;
- Appointing the Data Protection Officer and publicly disclosing their contact information;
- Accepting complaints, communications, and providing clarifications to data subjects;
In addition, the data subject is also encouraged to protect their personal data as follows:
- Creating backups of stored data, mainly in the cloud;
- Enabling encryption on disks and external media, such as pen drives;
- Creating strong passwords with a combination of special characters, uppercase and lowercase letters and numbers, avoiding using personal information or common words;
- Enabling two-step password verification when available, particularly in cloud storage systems and messaging applications;
- Installing applications only from official sources and stores;
- Always updating operating systems and applications;
- Erasing stored data before getting rid of equipment and media;
- Distrusting links received trough messaging applications;
- Limiting the disclosure or provision of personal data over the internet, including for social networks or companies, to when strictly necessary;
Finally, the guide clarifies that, in the case of a consumer relationship, the data subject may file a complaint on the website consumer.gov.br or in Consumer Protection Offices, Public Defenders, Prosecution Offices, etc. in case of violation of their rights, gathering all the evidence proving said violation. If not in a consumer relationship, the data subject may file a complaint directly with the company or with the ANPD, especially if the company does not solve the problem. In any case, it is not mandatory for the data subject to contact the company first.
The guide, which is freely available to everyone, certainly becomes an important tool for a better understanding of each person’s rights over their personal data.