loading...

The right of the subject to access their personal data and the nightmare this creates for businesses

The General Data Protection Law (LGPD) – Law 13.709 / 2018 – was designed to standardize the protection of personal data handled by third parties (individuals, companies, or the government) for commercial purposes.

Brazil’s LGPD legislation is very similar to Europe’s GDPR data protection law.  While there are differences in some specific aspects, these are not the focus of this post.

Among the various rules in the LGPD, several rights are attributed to personal data. One of the most significant is the individual’s right to access their personal data, as recommended in the text of Art. 9:

“The subject has the right to easy access to information regarding the treatment of his/her data, which must be made available in a clear, appropriate and conspicuous way, among other characteristics provided for in regulations for meeting the principle of free access.”

The lawmaker’s intention is the best possible; to guarantee the safety of personal data processed by a third party and the owner’s right to know what personal information is in possession of that third party and for what purpose.  After all, who wouldn’t want to know if their personal data is under the control of a third party?

However, the world is experiencing an unprecedented increase in virtual fraud.  As the technology progresses, the techniques available to wrongdoers are also enhanced and diversified, presenting serious challenges to companies complying with the LGPD legislation – not least due to the growing possibility of inadvertently handing over personal data to an impersonator.

As the National Data Protection Agency (ANPD) has not yet begun to exercise its regulatory role, many issues require further legal clarification.  For example, what could be considered acceptable means for a company to confirm an applicant’s identity to ensure that they are the real subject and entitled to the information requested. However, the GDPR control bodies in Europe are already taking a stand on such issues.

In 2020 alone, there are some significant cases concerning the data subject’s right to obtain information about what third parties are processing personal data.

In the Netherlands, the Bureau Krediet Registration (BKR) has limited the data subject’s free access to their personal data to one request per year and implemented charges for additional information requests from the data subjects themselves. Due to numerous complaints, the Dutch national data protection authority (AP) fined the BKR € 830,000.00.

However, another very recent case caught everyone’s attention: On November 11, 2020, in Germany, the data controller BfDI fined the telephone company 1 & 1 Telecom GmbH a total of € 900,000.00 after it discovered anyone calling the company’s customer service department could obtain any customer’s personal data by merely entering that customer’s name and date of birth.  BfDI considered this authentication procedure a violation of article 32 of the GDPR, which stipulates that the company take the appropriate technical and organizational measures to protect personal data processing systematically.

After this penalty, 1 & 1 Telecom made the authentication process more secure by requesting additional information.

In fact, while in Brazil, the National Data Protection Authority does not make it clear what authentication measures could be considered secure enough to enable access to the information requested by the applicant, a good example would be to consider the authentication measures already requested by banking institutions a long time ago.

Employees must receive training to address requests for access to the Data Protection Officer (DPO) so that the DPO takes all the necessary authentication measures to prevent the disclosure of personal data to applicants other than the actual subjects.  If legal protocol establishes a procedure to be followed in response to such requests, much potential fraud could be averted.