The so-called General Data Protection Regulation (GDPR) in Brazil (LGPD in Portuguese) has been in effect since September 18, 2020. Therefore, companies that have not yet adapted to the new rules need to implement the necessary changes as soon as possible. This is because penalties for non-compliance with the law will start to be implemented from 2021.
For those who aren’t quite sure where to start, we’ve prepared this guide with everything you need to know about GDPR in Brazil and its impacts. That way, your company can start the next year without worrying about any kind of legal sanction. Follow up.
About the General Data Protection Regulation in Brazil
The General Data Protection Regulation (GDPR – in Brazil) was enacted by then-President Michel Temer in August 2018 and entered into force in September 2020. This two-year “window” between approval and entry into force served as a period for companies to adapt to the new rules. Thus, those who are not even aware of what GDPR is and its effects are somewhat behind schedule.A boa notícia é que ainda há tempo para “correr atrás do prejuízo” e reorganizar a operação de seu negócio para se adequar à lei. Para começar, vamos a uma breve contextualização sobre o que é a GDPR.
The General Data Protection Regulation regulates under what terms the collection, processing and sharing of user data can take place. A more transparent standard is now in force for the management of this information, so that citizens have greater security that their personal data will be used for purposes previously agreed with the companies.
Until then, we lived in a scenario of total lack of regulation, with user information being reproduced and stored without any kind of consent or security parameters, which leaves room for a series of problems. However, since the beginning of the term of the GDPR, it has been established that:
The processing of personal data can only be carried out in the following cases:
I – upon the provision of consent by the holder;
II – for compliance with a legal or regulatory obligation by the controller;
III – by the public administration, for the processing and shared use of data necessary for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments, […]
IV – to carry out studies by a research body, ensuring, whenever possible, the anonymization of personal data;
V – when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject;VI – for the regular exercise of rights in judicial, administrative or arbitration proceedings, the latter under the terms of Law nº 9.307, 11/23/96 (Arbitration Law) ;
VII – to protect the life or physical safety of the owner or third party;
VIII – for the protection of health, in a procedure carried out by professionals in the health area or by health entities;
VIII – for the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority;
For companies that do not comply with these provisions, the GDPR in Brazil provides for the application of fines and administrative penalties to be established by the National Data Protection Authority – ANPD, a federal agency responsible for supervising the application of the law.
The GDPR in Brazil has implications for all sectors of the economy. Basically, from now on, it will be necessary to inform the motivation to request data from your customers and potential customers, knowing how to assign the correct classification to this data, which is divided into:
Personal data – information capable of assigning identification to a person, such as social number (RG and CPF), name and address.
Sensitive data – information related to a person’s more specific attributes, such as ethnic/racial origin, political positions, religious convictions, sexual orientation and the like.
It is also worth identifying another important concept, which is data processing:
Data processing – any action involving personal data is considered a “processing”, from the moment the data is collected, until the moment the data is deleted
With these distinctions made, let us look at some critical events that deserve attention.
Data acquisition without consente
Purchasing lead lists, even before GDPR approval, was already an ethically inappropriate practice. From now on, it becomes a crime.
Thus, under no circumstances should your company’s commercial department share or receive user data without the proper consent of those involved.
In addition, information already in the organization’s possession must not be used for any purpose other than that informed during collection. Data from market research carried out a few years ago, for example, cannot be used in any other way. In this case, using anyone’s personal data for a simple commercial contact is already illegal.
Communicating with your lead base
Let’s assume that you already have a contact base of clients and potential clients with which you communicate regularly through different relationship channels, such as email and Whatsapp. To maintain this type of communication, it will be necessary to identify in which cases these people can be contacted again.
According to the GDPR in Brazil, this contact must be proven to be necessary for the company’s operation, which does not include marketing actions.
As with communication, data collection must be properly justified. Thus, the requested data, whether classified as personal or sensitive, must be considered strictly necessary for the operation of the company.
With this, all forms in circulation addressed to the public of your company must be reviewed in order to comply with legal requirements. Managers, together with legal counsel, must reach a consensus on what information can be classified as essential.
Types of consents
More than knowing what should be avoided, it is important to be aware of some concepts present in the law so as not to incur illegalities and understand, more broadly, how to handle your customers’ data. Let’s see, then, some clarifications in this regard.
Under the law, consent is defined as a clear and unambiguous declaration of will. In practice, we are talking about an express declaration that the user agrees with the type of purpose to be given to the given data.
From this perspective, consent, according to the determinations of the GDPR in Brazil must have the following attributes;
Consent must be free: the granting of consent cannot be “forced” or induced, but rather a choice. If a company inserts a consent checkbox on a form, it means that it does not have the option to accept or hand out proposed terms
Consent must be unambiguous: It depends on manifestation through a positive act by the user. In other words, there must be an action by the user indicating their acceptance, whether by sending an email, electronic signature, or even by clicking on a specific location. There can be no doubt whether consent has been provided or not;
Consent must be provided for a specified and specified purpose: Consent must be provided for a specified and specified purpose. It is an integral part of the GDPR’s logic to inform the reason why personal data is used. The company may never use the collected data for a purpose not specified in the consent form.
Faced with so many demands, some people may be asking themselves: is consent strictly necessary to contact the lead?
Not necessarily, because we have what is conventionally called in the Law of legitimate interest and contracts. This device legitimizes commercial contact made in a reasonable manner.
Understand what users’ rights are from the GDPR
The GDPR also provides for a series of user rights, which often imply obligations to be fulfilled by companies.
See what the main ones are:
- Right to confirm the existence of the treatment;
- Right of access to data;
- Right to correct incomplete, inaccurate or outdated data;
- Right to anonymise, block or delete unnecessary, excessive or processed data in violation of the provisions of the GDPR;
- Right of data portability to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;
- Right to delete personal data processed with the consent of the holder;
- Right to information of public and private entities with which the controller shared data;
- Right to information about the possibility of not providing consent and about the consequences of denial;
- Right to revoke consent.
The application of the GDPR in your company deserves to be properly monitored. As we highlighted, any non-compliance can lead to punishments of different natures, exposing your business to completely avoidable legal risks.