Products and Services

Q&A – General Data Protection Law

What is LGPD? When did the LGPD come into effect?

The Brazilian General Data Protection Law ("LGPD") (Law No. 13,709 of 2018) is the rule that regulates the processing of personal data of individuals in Brazil, with the aim of protecting the fundamental rights of freedom and privacy and the free development of the natural personality.
It should be noted that the LGPD deals with the processing of personal data of individuals, not directly affecting the data of legal entities.
The LGPD went into effect on September 18, 2020, with the exception of sanctions, whose effectiveness was extended to August 1, 2021.

Cabe ressaltar que a LGPD versa sobre os o tratamento de dados pessoais da pessoa física, não tingindo diretamente os dados de pessoas jurídicas.

A LGPD entrou em vigor em 18 de setembro de 2020, com exceção das sanções, cuja vigência ficou prorrogada para 1º de agosto de 2021.

Who is subject to the LGPD?

The LGPD is intended for all natural and legal persons, public or private law, regardless of the medium, the country of their headquarters or the country where the data is located provided that:
• The data is processed in Brazil;
• The data have been collected in Brazil; or
• The purpose of the processing is to offer or provide goods and services to individuals located in the country.
The aforementioned law does not apply when the processing is made by an individual for economic and non-economic purposes (e.g. phone books, e-mails, etc); for exclusively journalistic, artistic or academic purposes, and when aimed at public security, national defense and state security, or activities of criminal prevention and repression.

What are personal data? What about sensitive personal data?

Personal Data is any information that can identify or lead to the identification of its holder (natural person), such as registration data (name, ID, CPF, etc) or even behavioral data (cell phone identification number, IP, internet browsing preference).
Sensitive Personal Data is a special category of personal data, which, because it can be used in a discriminatory way, is subject to stricter rules for its processing. Sensitive Personal Data is personal data about racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data when linked to a natural person.

Dado Pessoal Sensível é uma categoria especial de dados pessoais, que, por existir a possibilidade de ser utilizado de forma discriminatória, está sujeito a regras mais rigorosas para seu tratamento. Os Dados Pessoais Sensíveis são dados pessoais sobre origem racial ou étnica, convicção religiosa, opinião política, filiação a sindicato ou a organização de caráter religioso, filosófico ou político, dado referente à saúde ou a vida sexual, dado genético ou biométrico, quando vinculado a uma pessoa natural.

What is data processing according to the LGPD?

The concept of data processing covers any operation performed with personal data, such as: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, diffusion or extraction.

Who is the data subject?

The data subject is the natural person him/herself, i.e. the individual to whom the personal data relates, e.g. the patient.

Who are the processing agents? Who controls and operates data?

The controller is the natural or legal person who decides how the personal data will be handled (e.g. a freelancer or a doctor who collects data from his patients and decides what he will do with it).

The operator is the natural or legal person who processes the data of the data subjects based on orders received by the controller (e.g. the laboratory that received material to perform a biopsy).

What are the rights of data subjects with the entry into force of the LGPD?

The LGPD provides a range of rights to data subjects, these being:

• Confirmation of the existence of processing;
• Access to data;
• Correction of incomplete, inaccurate or outdated data;
• Anonymization, blocking or deletion of unnecessary, excessive data or data treated in violation of the provisions of the LGPD;
• Portability of the data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets, in accordance with the regulations of the controlling body;
• Deletion of personal data processed with the consent of the holder, except in the cases provided for in Article 16 of the LGPD;
• Information on public and private entities with which the controller has shared data
• Information on the option of not consenting and the consequences of doing so;
• Revocation of consent, pursuant to § 5º of art. 8 of LGPD.

What is the ANPD? What is its role?

The Brazilian National Data Protection Agency ("ANPD") is the federal public administration body responsible for ensuring the protection of personal data and for implementing and enforcing compliance with the LGPD in Brazil.
ANPD's mission is to ensure the widest and most correct observance of the LGPD in Brazil and, to that extent, to guarantee due protection to the fundamental rights of freedom, privacy and free development of the personality of individuals.

What are the penalties for non-compliance with the LGPD?

The LGPD brings a series of administrative penalties for non-compliance with the law:

• Warning;
• Simple fine of up to 2% limited to R$ 50M (fifty million reais) of the legal entity's revenues per violation;
• Daily fine;
• Publicizing the infraction;
• Blocking of personal data to which the violation refers until its regularization;
• Deletion of personal data to which the violation refers;
• Suspension of processing of the personal data to which the infringement relates; and
• Partial or total prohibition from engaging in data processing activities.

It is worth pointing out that all these sanctions are administrative, and that there may also be eventual liability for damages in the judicial sphere.

What are the general impacts of the LGPD on health?

All areas that handle personal data in the course of their activities need to pay attention to the topic of personal data protection and compliance with the LGPD. The healthcare area repeatedly performs sensitive data processing, which brings the need to conform to the LGPD more decisively.

The healthcare industry already prizes confidentiality and secrecy of information. The rules established in the LGPD must be strictly observed whenever personal data is processed, whether from patients, employees (health professionals, technicians, administrative staff), visitors, suppliers and/or contractors.

Regarding healthcare, what does the LGPD prohibit?

The LGPD expressly prohibits the communication or shared use of sensitive personal health data for economic advantage, except in specific situations.

The specific situations are: sharing when the purpose is to provide health care, pharmaceutical assistance, and health care services, including diagnostic and therapeutic services, for the benefit of the interests of the holder.

When can sensitive personal data be processed?

As a rule, the processing of sensitive personal data is only allowed if any of the following situations are met:
• When the data subject consents (e.g. patient who authorizes the sharing of his/her data; volunteer who consents to participate in clinical research);
• For compliance with a legal or regulatory obligation (e.g. keeping data recorded in physical records for 20 years from the last record • CFM Resolution No. 1.639/2022 and Law No. 13.787/2018);
By the Public Administration, for the execution of public policies (e.g. epidemic data for the development of prevention policies or to combat the disease);
• For the performance of studies by research bodies (with anonymization of data whenever possible) (e.g. data for research on the effectiveness of a certain drug);
• For the regular exercise of rights in contracts and legal, administrative or arbitration proceedings (e.g. conclusion of a contract for the provision of medical-hospital services or individual plans; or in the defense of an eventual lawsuit proposed by the beneficiary);
• For the protection of the life or physical safety of the insured or a third party (e.g. when an accident occurs, the insured is unconscious, and first responders need to check his or her personal documents to inform the family);
• For the preservation of health, in procedures carried out by health professionals, health services or health authorities;
• For fraud prevention and to ensure the security of the cardholder (e.g. internal TV circuit filming ICUs or biometric authentication for consultation release).

What if the processing does not fit into any of the hypotheses of the LGPD?

According to Articles 7 and 11 of the LGPD, processing may only be performed in the authorized cases provided for in those articles. If the processing does not fit any of the hypotheses, the processing agent must rethink the activity so that there is a chance of authorization or stop performing the activity.