1. Governing Texts

1.1. Legislation

Brazil has enacted its first specific legislation in the field of data protection, namely Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD'), which came into force on 18 September 2020. The LGPD was strongly influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and seeks to regulate the processing of personal data by public and private entities in Brazil.

A few months after the LGPD came into effect, the Brazilian data protection authority ('ANPD') was created, in January 2021, and has been demonstrating their willingness to, at least initially, focus on guidance for helping data subjects and companies to thoroughly understand the LGPD's provisions, as well as developing a privacy and data protection culture.

Additionally to the LGPD, provisions on the protection of personal data can also be found in the Constitution of the Federative Republic of Brazil of 1988 ('the Constitution'), which was recently amended to provide personal data protection as a fundamental right, the Law No. 10.406 of 10 January 2002 for the Civil Code (only available in Portuguese here), Law No. 8,078 of 11 September 1990 Which Provides for the Consumer Protection (only available in Portuguese here) ('the Consumer Protection Code'), Legislative Decree No. 2848 of 7 December 1940 for the Criminal Code (only available in Portuguese here), and other specific laws, as summarised below.

The Constitution

The general principle applicable to data protection in Brazil is contained in Article 5 of the Constitution, which already provided that the privacy, private life, honour, and image of persons are inviolable rights and guaranteed the right for compensation of material and moral damages resulting from the violation of these rights. Inherent in the constitutional protection of privacy is the need to protect personal data that has been submitted in confidence.

Additionally to those provisions, on 10 February 2022, the Federal Senate approved Constitutional Amendment No. 115/2022, which specifically added personal data protection, including in digital means, into the list of fundamental rights set forth in Article 5 of the Constitution.



Furthermore, the Constitution also contains a habeas data provision (Article 5(LXXII)(a) of the Constitution), which guarantees the rights of individuals to have access to their personal information contained in registries or databases maintained by the Federal Government or other public entities, and to demand the correction of any incorrect data.

LGPD

Health data is considered sensitive personal data in light of Article 5(2) of the LGPD. Therefore, the assumptions for the processing of such data without the consent of the data subject must comply with more stringent requirements (Article 11 of the LGPD) compared to the processing of other personal data (Article 7 of the LGPD).

Moreover, Article 11(2) of the LGPD establishes the situations in which the processing of sensitive personal data is allowed without the consent of the data subject. The first situation concerns compliance by the controller with a legal or regulatory obligation. The LGPD also enables the processing of sensitive personal health data, without the consent of the data subject, to enable health protection, exclusively, in a procedure performed by health professionals, health services, or health authority. It is noteworthy that the waiver of consent is not allowed, in the case of the processing of sensitive personal health data, when necessary to meet the 'legitimate interests of the controller or third party' (Article 7(4) of the LGPD).

Furthermore, health data controllers are prohibited from communicating or making shared use of this data with a view to obtaining any kind of economic advantage, except when there is a need for communication to adequately provide supplementary health services.

In addition, Article 13 of the LGPD provides that, for public health studies, research agencies may have access to personal databases, which will be handled exclusively within the agency and strictly for the purpose of conducting studies and research and maintained in a controlled and safe environment, in accordance with safety practices provided for in specific regulations and including, where possible, anonymisation or pseudonymisation of data, as well as due consideration of ethical standards related to studies and research. The disclosure of the results or any excerpt from such studies and research may under no circumstances reveal personal data and the agency may not transfer them to third parties.

Therefore, it is possible to realise that the new legislation was concerned with the specific protection of personal data in the health sector, as they are essential for the provision of services to their users. However, the matter is still pending specific regulation by the ANPD and the health and sanitary authorities.

The Civil Code

Articles 20 and 21 of the Civil Code further grant the protection of an individual's private life as a natural and inviolable right, raising privacy and image rights to the category of human being's fundamental rights. It is important to bear in mind that Article 186 of the Civil Code provides that whoever violates a right, and, as a result, causes damages voluntarily or by omission, or through negligent or reckless behaviour, commits an illegal act and is, therefore, liable for such damages.

The Consumer Protection Code

The guiding principle contained in the Consumer Protection Code is that consumers are at a disadvantage within a consumer relationship. As such, they should be protected against possible abuses by sellers/suppliers. The Consumer Protection Code encompasses health service providers.

It sets forth that consumers must have access to information existing in registrations, records, registers, and personal and consumption data related to them. The consumer must be informed, in writing, of the opening of registrations and records (such as in a database), and any data contained in such records or registrations must be objective, clear, true, and easy to understand. Moreover, consumers are entitled to request the rectification of any incorrect or inaccurate information contained in such records.

The Criminal Code

Article 153 of the Criminal Code considers the disclosure of private documents or confidential mail to be a crime, with penalties varying from imprisonment of six months to a year, or a fine.



Article 154 of the Criminal Code determines that it is a crime to disclose, without just cause, any secret that someone has gained knowledge of due to their function, trade, or profession, if such disclosure has the potential to damage a third party. Penalties involve imprisonment of three months to a year, or a fine.

The lack of an information management policy could result in manipulation, facilitating the accidental or intentional availability of data to the public, thus causing distrust among citizens and consumers. Even if it is not made public, the improper disclosure of data could cause damage.

The CFM's Code of Ethics

Several provisions of the Brazilian Federal Medical Council's ('CFM') Code of Ethics (only available in Portuguese here) ('the Code of Ethics') encompass issues related to medical confidentiality with respect to patient data and the publication of scientific papers.

It should be noted that Chapter IX of the Code of Ethics establishes that 'the doctor must keep confidential all information of which he/she becomes aware in the course of their duties. The same applies to [professionals who] work in companies, except in cases in which the doctor's silence harms or endangers the worker or community's health'.



Furthermore, it is not permitted for doctors to disclose:

• the fact that they have gained knowledge through the exercise of their profession, unless they have a just cause, are bound to do so by their professional duty, or have the written consent of patients (Article 73 of the Code of Ethics);
• professional secrets related to an underage patient, including to parents or legal representatives, provided the minor has the capacity of discernment, unless the non-disclosure could lead to the patient's harm (Article 74 of the Code of Ethics); and
• confidential information obtained during the medical examination of workers, unless the doctor's silence endangers the health of employees or the community (Article 76 of the Code of Ethics).

The knowledge and handling of records by persons not bound by professional secrecy is also prohibited when they are under a doctor's responsibility (Article 85 of the Code of Ethics). These persons are not permitted to maintain copies of the records within their custody except when the patient grants a written authorisation, to comply with a court order, or for their own personal defence (Article 89 of the Code of Ethics).

Resolutions of the CFM

Several resolutions issued by the CFM contain provisions related to data protection, as summarised below:

• Resolution No. 1.605/2000 (only available in Portuguese here) ensures patient privacy, preventing the disclosure of data and information from medical records or patients' records without the written permission of patients. In cases where the communication of a disease is compulsory, the doctor should be restricted solely to communicating this fact to the competent authority, whilst the disclosure of a patient's medical record is strictly prohibited.
• Resolution No. 1.643/2002 (only available in Portuguese here) regulates the provision of telemedicine services. In particular, Article 2 requires that services provided through telemedicine implement appropriate technological infrastructure and comply with the relevant regulations pertaining to the custody, handling, data transmission, confidentiality, privacy, and guarantees of the technical standards of professional secrecy issued by the CFM.
• Resolution No. 1.821/2007 (only available in Portuguese here) recognises the technical and legal validity of electronic records following the approval of the Technical Standards for Use of Computerised Systems for the Storage and Handling of Medical Records, and establishes criteria for the certification of information systems. In this regard, the CFM and the Brazilian Society of Health Informatics must issue, pursuant to Article 7 and upon request, a certification to storage and handling of electronic records systems that comply with specific technical standards.
• Resolution No. 1.638/2002 (only available in Portuguese here) defines the medical record and informs that the responsibility for the record lies with the attending doctor and other professionals who share care.
• Resolution No. 2.264/2019 (only available in Portuguese here) defines and disciplines telepathology as a way of providing anatomopathological services mediated by technologies. The resolution makes it clear in its text that it takes the LGPD into account. And, in fact, in its Article 3, it describes what the patient’s consent should be like when authorising the transmission of their data, namely informed, free, and clarified.

The ANS

The National Regulatory Agency for Private Health Insurance and Plans ('ANS'), which is responsible for the regulation of healthcare plans and service providers, has set standards for the exchange of health information between operators of private healthcare plans and service providers, called the Exchange of Information on Health Insurance ('TISS Standard'), previously set by Normative Resolution No. 305 of 9 October 2012, which has been recently revoked by Normative Resolution No. 501 of 30 March 2022 (only available in Portuguese here).

One of the components of the TISS Standard relates to security and privacy, since it provides requirements for the protection of healthcare data and stipulates that such protection should comply with current legislation. The standards set out by Normative Resolution No. 501 are in compliance with the ones provided for by the LGPD.

There are many resolutions providing for the confidentiality of patient information by the operators of private healthcare plans. For instance, such operators must keep the information provided by their customers or provider network secure, except in cases involving the disclosure (or provision to others not involved in the provision of assistance services) of information about the health of consumers, containing identification data, without their express consent, when authorised by law.

1.2. Supervisory authorities

The following authorities are responsible with supervising activities related to health and pharma in Brazil:

• the ANPD;
• the CFM;
• the ANS;
• the Brazilian Health Regulatory Agency ('Anvisa');
• the Regional Councils of Medicine ('CRMs'); and
• the Federal Council of Pharmacy ('CFF').

1.3. Guidelines

See the above resolutions in the section on legislation from the CFM.

1.4. Definitions

Personal data: Information related to an identified or identifiable natural person.

Sensitive data: Personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious affiliation, philosophical or political organisation membership, data relating to health or sex life, genetic, or biometric data, when related to a natural person. The rules concerning sensitive data apply to any processing of personal data that discloses sensitive personal data and which may cause damage to the data subjects, except as otherwise provided in a specific law.

Consent: Free, informed, and unambiguous manifestation whereby the data subject agrees with the processing of their personal data for a given purpose.

Biomedical cell product: A complex consisting of cell line(s) and additives of cell line(s) and additives in combination with the registered medicines for medical use and/or medical products.

Biometric data: Data obtained and processed from the physical or behavioural characteristics of people that make an individual statistically distinguishable and unique from others. Examples are: fingerprints, virtual face masks, iris or retina recognition, dental arch dimensions, signature recognition, among other methods of identifying from the unique characteristics of each human being.

Genetic data: Personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid ('DNA'); or ribonucleic acid ('RNA') analysis, or from the analysis of another element enabling equivalent information to be obtained.

Medical secrecy: A set of rules that limits access to information discussed between a person and their healthcare practitioners.

Clinical records: The creation of a digital or analogue record detailing a medical treatment, medical trial, or clinical test, and must be accurate, timely, and reflect specific services provided to a patient.

2. Clinical Research and Clinical Trials

Brazil is a signatory of the Pan American Health Organization's ('PAHO') Good Clinical Practices: Document of the Americas, which establishes that Brazilian research centres should follow the directives of the Harmonised Tripartite Guideline for Good Clinical Practices developed by the International Conference on Harmonisation for Good Clinical Practices ('GCP/ICH').

The GCP/ICH establishes the standards of ethical and scientific quality for the planning, performing, recording, and reporting of clinical studies involving human beings. This document provides for the use of a patient identification code, which is an exclusive identifying code designed for each participant in a clinical study in order to protect theor identity. This provision determines that, in most cases, information contained in the clinical research should not be identified.

As well as international regulations, Brazil has specific regulations governing clinical research. In 2012, the National Board of Health ('CNS') issued Resolution No. 466/12 (only available in Portuguese here), the main piece of regulation currently governing clinical research.

It should be noted that any clinical research in Brazil requires prior approval from the Committee for Ethics in Research ('CEP') and, in certain cases, from the National Commission for Ethics in Research ('CONEP').

Resolution No. 466/12 requires that every study involving human beings, and which includes the management of information or biological materials, should have the free and clear consent of the participants involved or that of their legal representatives, and ensure that information related to research (for example, the use of the data and materials) is provided to participants, in a language that is easy to understand, thus guaranteeing the participants' confidentiality and privacy.

2.1. Data collection and retention

Decree No. 1.820/2009 of the Ministry of Health (only available in Portuguese here), which provides for the rights and duties of users of health services, sets forth that the patient is entitled to free, voluntary, and informed consent to any diagnostic, preventive, or therapeutic procedures, except in cases that it may be a risk to public health, considering that the consent previously given may be revoked at any time, by free and informed decision, without being charged for personal, moral, financial, or legal sanctions.

Also, the Code of Medical Ethics, approved by Resolution No. 2.217/2018 of the Federal Council of Medicine (only available in Portuguese here), also consolidated the principle of free and sovereign wish of the patient by providing that the physician is prohibited from:

• failing to obtain the consent of the patient or their legal representative, after clarifying the procedure to be executed, except in case of imminent risk of death; and
• failing to grant the patient the exercise of their right to freely decide about themselves or their well-being and authority to limit it.

2.2. Consent

Decree No. 1.820/2009, which provides for the rights and duties of users of health services, sets forth that the patient is entitled to free, voluntary, and informed consent to any diagnostic, preventive, or therapeutic procedures, except in cases that it may be a risk to public health, considering that the consent previously given may be revoked at any time, by free, and informed decision, without being charged for personal, moral, financial, or legal sanctions.

Also, the Code of Medical Ethics, approved by Resolution No. 1931/2009 of the Federal Council of Medicine (only available in Portuguese here), also consolidated the principle of free and sovereign wish of the patient by providing that the physician is prohibited from:

• failing to obtain the consent of the patient or their legal representative, after clarifying the procedure to be executed, except in case of imminent risk of death; and
• failing to grant the patient the exercise of their right to freely decide about themselves or their well-being and authority to limit it.

2.3. Data obtained from third parties

The LGPD restricts the sharing of health data for the purpose of obtaining economic advantage if such sharing is not for:

• the rendering of health services;
• the provision of pharmaceutical assistance;
• healthcare, including ancillary diagnostic and therapy services;
• the portability at the request of the data subject; and
• allowing financial and administrative transactions related to the services listed above.

Therefore, in order to share health data with healthcare providers or hospitals, for example, it is recommended that the data is effectively anonymised, and any possibility of reversing this process is forbidden, considering the cost, time, and available technologies.

It is important to stress that there are no officially defined standards on this subject, which must be established by the ANPD in the future.

3. Pharmacovigilance

Pursuant to ANVISA Ordinance No. 1.660 of 22 July 2009 (only available in Portuguese here) and the Ministry of Health's Ordinance No. 529 of 1 April 2013 (only available in Portuguese here), the reporting of adverse reactions in the context of pharmacovigilance should be made to the National Notification System for Health Surveillance ('NOTIVISA').



The notifying party can provide notification of confirmed or suspected incidents, adverse events, and technical complaints. Once the notification has been sent, the notifying party is informed of its receipt by means of the NOTIVISA.

As well as the notifying party, ANVISA and the municipal and state Health Surveillance Departments will also have access to the information.

The notifications sent are kept confidential. Should it be necessary, the SNVS will contact the notifying party to clarify any doubts, obtain additional information, or monitor the developments of the case in question. Resolution No. RDC 96 of 17 December 2008 (only available in Portuguese here) addresses advertising, publicity, information, and other activities that seek to disseminate or commercially promote medicines. For the general public, the only publicity permitted for medicines is that relating to those which may be sold without a doctor's prescription, or in other words, advertising for medicines that do not carry a red or black stripe on their packaging. Medicines that require a doctor's prescription (those bearing a red or black stripe) may only be advertised to healthcare professionals with the power to prescribe (doctors or dentists) or dispense (pharmacists) medicines.

The medicines should be registered with ANVISA in order for them to be commercialised and included in advertising. Only certain medicines, due to the low risk that their use or contact can cause to an individual's health, are exempt from registration, but are still required to display the following message on their packaging and in any advertising: 'MEDICAMENTO DE NOTIFICAÇÃO SIMPLIFICADA RDC ANVISA N.º...../2006. AFE nº:......................" ("SIMPLIFIED NOTIFICATION MEDICINE RDC ANVISA No. ...../2006. AFE No.: ......................")'.

4. Biobanking

CNS Resolution No. 441/2011 (only available in Portuguese here) provides guidelines for the ethical analysis of research projects that involve the storage of human biological material, or the use of samples gathered and stored from previous studies.

Resolution No. 441/2011 introduces the concept of a 'biobank', defined as 'an organised collection of samples and associated information gathered and stored for research purposes, being under institutional and administrative responsibility, and serving no commercial purposes'.

The CEP and the CONEP must approve biobanks. In addition, Resolution No. 441/2011 establishes that biobanks must have a secure identification system that guarantees the secrecy and confidentiality of the samples, as well as the positive recovery of the data pertaining to the participants involved in the research, be it for the provision of information of interest to such subjects, or for obtaining specific consent for the use in another study.

Furthermore, samples may be used in secondary studies approved by the CEP and the CONEP, provided that the research projects include:

• a justification for the use of the material;
• a copy of the free and clear consent provided upon collection of the material, containing authorisation for the storage and possible future research use; and
• free and clear consent, specifically in relation to secondary research projects or a request for the waiver of such.

In addition, an informed consent form ('ICF') relating to the storage of samples in a biobank must contain specific information about whether or not fresh consent for each new research is necessary. The ICF must also refer to all the types of information that could be obtained in future studies using the samples stored, thus guaranteeing the knowledge and autonomy of the participant at the time of deciding whether the samples may be used in the future.

Also, the ICF must expressly guarantee the possibility of the participant's access to the results obtained from the use of their biological material.

It is important to note that the samples stored in a biobank are held by the research participants, remaining in their custody under the responsibility of the research institution. In addition, the participants may withdraw their consent to the storage and use of the samples at any time.

5. Data Management

General obligations on the data controller

In addition to the obligations already mentioned throughout this text, the controller must still comply with the following obligations:

• preparing a personal data protection impact report containing a description of the personal data processing;
• informing the data subject in advance of changes of purpose for the processing of personal data that is not compatible with the original consent, and the data subject may revoke the consent if they disagree with the changes;
• keeping a record of the personal data processing operations that they perform, especially when based on legitimate interest; and
• repairing any property, moral, individual, or collective damage that the controller has caused because of its personal data processing activity.

Permitted uses of data

The processing of personal data may only be performed in the following cases:

• upon the data subject's consent;
• for compliance with the legal or regulatory obligation by the controller;
• by the public administration, for the processing and shared use of data required for the execution of public policies provided for in laws and regulations or backed by agreements, arrangement, or similar instruments;
• to conduct studies by research bodies, ensuring, if applicable, the anonymisation of personal data;
• when required for the performance of an agreement or preliminary procedures related to agreements in which the data subject is party, at the request of the data subject;
• for the regular exercise of rights in judicial, administrative, or arbitral proceedings;
• for the protection of the life or physical safety of the data subject or third parties;
• for the protection of health, exclusively in procedures performed by health professionals, health services, or health authorities;
• when required to meet the legitimate interests of the controller or third parties, except if the data subject's fundamental rights and freedom to require the protection of personal data prevail; or
• credit protection, including the provisions of the relevant legislation.

The requirement of consent for data made manifestly public by the data subject is waived, safeguarding the rights of the data subject and the principles provided for by law.

Data security requirements

Data processing agents should take security, technical, and administrative measures to protect personal data from unauthorised access and from accidental or unlawful destruction, loss, alteration, communication, or any form of improper or unlawful processing.

The ANPD may provide for minimum technical standards to make such measures applicable, considering the nature of the information processed, the specific characteristics of the processing and the current state of the technology, especially in the case of sensitive personal data.

The controller must report to the ANPD and to the data subject the occurrence of a safety incident that may lead to significant risk or damage to the data subject. The communication must be made within a reasonable time, as defined by the ANPD, and must include at least:

• the description of the nature of the affected personal data;
• information about the data subjects involved in the occurrence of a safety incident;
• indication of the technical and security measures used for data protection, with due compliance with the trade and industrial secrets;
• the risks related to the incident;
• the reasons for the delay, in case the communication was not immediate; and
• the measures that have been or will be taken to reverse or mitigate the effects of the damages.

The ANPD must verify the seriousness of the incident and may, if required to safeguard the rights of the data subject, order the controller to take measures, such as:

• disclosing the incident in the media; and
• reversing or mitigating the effects of the incident.

When assessing the severity of the incident, the evidence that appropriate technical measures have been taken to make the affected personal data unintelligible will be evaluated within the scope and technical limits of their services and to third parties not authorised to access them.

Anonymisation and pseudonymisation

The LGPD does not consider anonymised data as personal data, unless the anonymisation process to which it was submitted can be reversed by using its own technique or with reasonable efforts.

The decision of what is reasonable or not should consider objective factors, such as costs and time required to reverse the anonymisation process according to available technologies and the exclusive use of the controller's own resources. The ANPD may create standards and technique provisions to be used in anonymisation processes and conduct security checks upon consultation with the National Council for the Protection of Personal Data.

For the purposes of the LGPD, pseudonymisation is the process whereby data loses the possibility of direct or indirect association with an individual, unless using additional information kept separately by the controller in a controlled and safe environment.

For the purposes of dealing with studies involving public health, research agencies may have access to personal databases, which will be processed exclusively within the agency and strictly for the purpose of conducting studies and research. The personal databases must also be kept in a controlled and safe environment, as per security practices provided for in specific regulations, including, if applicable, the anonymisation or pseudonymisation of data, as well as due compliance with ethical standards related to studies and research.

Record-keeping

The LGPD does not specifically set forth the period of which personal data may be kept by agents, especially because each sector, whether commercial or public, uses this information in diverse ways and purposes. However, the law intends to prevent and punish the improper use of personal data, such as the storage for a period longer than what it is required or the use of the data for purposes that the data subject has not consented to.

Nonetheless, the LGPD provides for the following regarding the termination of the processing of personal data:

• verification that its purpose has been achieved or that the data is no longer required or relevant to achieve the intended specific purpose;
• finalisation of the processing period;
• communication by the data subject, including the exercise of the right to withdraw their consent, with due regard to the public interest; or
• determination of the ANPD, in case of violation of any law provision.

In addition, the LGPD sets forth several situations in which the controller may not delete the data and is allowed to keep it in order to comply with the following purposes:

• compliance with legal or regulatory obligation;
• studying by research body, ensuring, if applicable, the anonymisation of personal data;
• transferring to a third party upon due compliance with the LGPD's data processing requirements; and
• exclusive use by the controller while the access by a third party is forbidden, provided that the data is anonymised.

As for health data, all information contained in medical records that was obtained over 20 years ago must be deleted from the database of the hospital, in case of request of the data subject of these data. However, any data from medical records that has more than 20 years old must be kept by the hospital, due to the requirement imposed by Law No. 13.787/2018 of 27 December 2018 Which Refers to the Digitisation of Computerised Systems for the Storage and Handling of Patient Records (only available in Portuguese here). Other data, which are not contained in the medical records and there is no provision and/or legal basis that allows its storage, should also be deleted.

DPO requirements

According to the LGPD, the data protection officer ('DPO') is a person appointed by the controller and operator to act as a communication channel between the controller, the data subjects and the ANPD. The identity and contact information of the DPO must be publicly, clearly, and objectively disclosed, preferably on the controller's website.

The DPO's activities consist of:

• accepting complaints and requests from the data subjects, providing clarifications, and taking any action that may be required;
• receiving requests from the ANPD and take any action that may be required;
• advising the entity's employees and contractors on the actions to be taken regarding the protection of personal data; and
• performing other duties determined by the controller or established in complementary rules.

The ANPD may establish supplementary rules on the definition and duties of the DPO, including the possibility to exempt the appointment of a DPO, according to the nature and size of the entity or the amount of data processing operations.

6. Outsourcing

Not applicable.

7. Data Transfers

The international data transfer must only be permitted:

• to countries that provide a level of protection of personal data that is at least equal to that provided for in the LGPD;
• when the transfer is necessary for the purposes of international judicial cooperation between public intelligence and investigation organisations, in accordance with instruments of international law;
• when the transfer is necessary for the protection of the life or physical safety of the data subject or a third party;
• when the competent authority authorises the transfer;
• when the transfer is made in accordance with international cooperation agreements;
• when the transfer is necessary for the implementation of public policy or compliance with a governmental legal duty; or
• when the data subject has consented to the transfer upon prior and specific information on the international character of such and having been warned of the risks involved.

Furthermore, in accordance with the LGPD, the transferor and the transferee must, in all circumstances, be jointly and strictly liable for the handling of the data, regardless of their location.

8. Breach Notification

The LGPD sets forth that the data controller must report to the ANPD and the data subject in case of a security incident that could lead to a significant risk or damage to the data subject. In such cases, the ANPD must verify the seriousness of the incident and may, if required to safeguard the rights of the data subjects, order the controller to take certain specific measures.

The ANPD has the power to determine minimum technical standards. Note also that the LGPD states that the controller and processor and 'any other person who intervenes' in the processing of the personal data are required to ensure the security of the data.

Furthermore, while ANPD and the health and sanitary authorities have not enacted the pending regulation yet, it is also recommended that certain authorities are notified in case of data breach, as indicated below, in order to mitigate any eventual indemnification claims in this regard:

• The ANS is the Brazilian agency that operates nationwide to regulate, standardise, control, and inspect the private health insurance and health plans sectors in Brazil. Although not mandatory, it is recommended that the ANS be informed of any privacy incidents involving medical data in connection with the health insurance and health plans sector.
• The CFM is the self-regulating organ with constitutional powers of supervision and regulation of medical practice. Although not mandatory, it is recommended that the CFM be informed of any privacy incidents involving medical data.
• The National Consumer Secretariat ('SENACON') is the national secretariat which, among other things, is designed to:
  • ensure the protection and exercise of consumers' rights; and
  • promote harmonisation in consumer relations.

Although not mandatory, it is recommended that SENACON be informed of any privacy incidents involving consumers.

9. Data Subject Rights

According to the LGPD, all individuals are assured to have the ownership of their personal data and the fundamental rights of freedom, intimacy, and privacy guaranteed.

The data subject has the right to easily access any information regarding the processing of their data, which should be made available in a clear, appropriate, and ostensible manner, among the following aspects provided for in regulations to comply with the principle of free access:

• specific purpose of the processing;
• form and period of processing, subject to commercial and industrial secrets;
• controller identification;
• controller contact information;
• information about the shared use of data by the controller and its purpose;
• responsibilities of the agents who will perform the processing; and
• rights of the data subject.

In addition, the data subject of the personal data also has the right to obtain from the controller, at any time, and upon request (Article 17 of the LGPD):

• confirmation of the existence of processing;
• access to the data;
• correction of incomplete, inaccurate, or outdated data;
• anonymisation, blocking, or removal of unnecessary, excessive, or processed data made in violation of the provisions of the LGPD;
• portability of data to another service or product provider upon express request, in accordance with the ANPD's regulations, subject to commercial and industrial secrets and provided that the data is not already anonymised;
• removal of personal data processed with the consent of the data subject;
• information from public and private entities with which the controller has made shared use of data;
• information about the possibility of not granting any consent to use the data and about the consequences of such refusal; and
• revocation of the consent.

In case the controller cannot take the necessary measures to comply with what is required by the data subject, the controller must reply to the data subject stating that, it is the relevant data processing agent for such processing and must inform, if applicable, who the agent is, or communicate the reasons of fact or law that prevent the immediate adoption of these measures.

The controller must promptly inform the data processing agent with whom it has shared data, about the correction, removal, anonymisation, or blocking of the data in order for the data processing agent to be able to repeat the same procedure, except in cases where such communication proves to be impossible or implies disproportionate effort.

Children and adolescents as data subjects

The processing of children and adolescents' personal data must be carried out in their best interests, considering all relevant provisions of the LGPD. It is important to stress that, in Brazil, and in accordance with the Law No. 8.069 of 13 July 1990 for the Federal Children's and Adolescents Statute (only available in Portuguese here), a child is a person that is below the age of 12 years and an adolescent is between 12 and 18 years old.

For children data to be processed, it is required to obtain specific and prominent consent by at least one of their parents or legal guardians. The controller has the obligation to keep as public all information about the types of data collected, the form of its use and the procedures for the exercise of the rights of the data subjects, which are the same as the above mentioned.

The controller may collect personal data from children without appropriate consent, when such collection is required to contact their parents or legal guardian and must only be used once and storage is forbidden, or for their protection. In any case, no personal data may be assigned to third parties without the consent of the children's parent or legal guardian.

The data processing information must be provided in a simple, clear, and accessible manner, considering the user's physical-motor, perceptive, sensory, intellectual, and mental characteristics, using audio-visual resources when appropriate, to provide the necessary information to the parent or legal guardian and appropriate to the understanding of the child or adolescent.

10. Penalties

Any company that fails to comply with the rules regarding the processing of personal data, sensitive or not, may be subject to administrative sanctions to be applied, mainly by the ANPD, and condemnation by courts, either civil or criminal. It is important to stress that the data subjects may also seek their rights in other institutions, such as PROCON and the Public Prosecution Service.

The administrative sanctions described in the LGPD are (Article 52 of LGPD):

• warnings, with indication of a term for adoption of corrective measures;
• simple fines of up to 2% of the sales revenue of the legal entity of private law, group, or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in the aggregate, to BRL 50 million (approx. €8.1 million) per infraction;
• daily fines, with due regard for the total limit to BRL 50 million (approx. €8.1 million) per infraction;
• disclosure of the infraction after it has been duly investigated and its occurrence has been confirmed;
• blockage of the personal data to which the infraction relates, until its regularisation; and
• elimination of the personal data to which the infraction relates.

As previously mentioned, all sanctions will be applied by the ANPD upon an administrative procedure that allows the opportunity of defence, gradually, isolated, or cumulative, in accordance with the peculiarities of the specific case. The specificities of application of these sanctions are provided for in Resolution No. 1 of 28 October 2021 (only available in Portuguese here).

Resolution No. 1 provides for, among others:

• the duties of processing agents when subjected to inspection processes conducted by the ANPD;
• procedural rules related to deadline count, communication of official acts, and means of carrying out administrative acts;
• procedures to be followed by the parties when subjected to inspection processes;
• ANPD monitoring and surveillance activities;
• guidance activities developed by the ANPD;
• preventive and repressive activities; and
• a description of the procedures to be followed in sanctioning processes.

In this sense, it is important to notice that despite the administrative sanctions having entered into force on 1 August 2021 and the provisions of Resolution No. 1, the ANPD has already stated that:

• it will submit to public consultation a specific rule to deal with sanctions and dosimetry; and
• its performance will take place in stages: monitoring, guidance, prevention, and repression of infractions, considering the information received from complaints, reports, representations, and notifications of incidents.

Thus, it is possible to observe that the ANPD adopts a conduct with an educational focus and awareness of society, as opposed to merely punitive acts.

11. Other Areas of Interest

Even though some areas, such as precision medicine, diagnostics, e-Health, and telemedicine, will be directly impacted by the LGPD, it is important to realise how many changes will be required to create greater value within companies by improving daily processes, delivering services, reputation, and market intelligence.

Due to the COVID-19 pandemic, the Federal Council of Medicine, on 19 March 2020, recognised the possibility of adopting some modalities of telemedicine in Brazil, exceptionally and only while the fight against the pandemic lasts. The Ministry of Health subsequently edited Ordinance No. 467/2020 (only available in Portuguese here), which provides for telemedicine actions. In addition to supporting the notorious public health emergency of national importance, declared by Decree No. 188 /GM/MS/2020 (only available in Portuguese here), the Act is supported by Resolution No. 1.643/2002 (only available in Portuguese here) and CFM Letter 1.756/2020 - COJUR (only available in Portuguese here).

The CFM Letter 1.756/2020 - COJUR recognised the use of the modalities of teleorientation, telemonitoring, and teleconsultation. Briefly, the first modality is related to the guidance and referral of patients in isolation, the second deals with remote monitoring of health and/or disease parameters, and the third one is related to a modality that aims to exchange information and opinions among doctors, to assist in diagnosis and therapy. The acknowledgment mentioned in this paragraph is also limited to the period of the COVID-19 pandemic.

The ANS, after an extraordinary meeting of its collegiate board of directors, on 31 March 2020, established the understanding through Technical Note No. 7/2020/GGRAS/DIRAD-DIPRO/DIPRO (only available in Portuguese here) that: "[...] telehealth is a procedure that already has mandatory coverage by health plans, since it is a type of consultation with health professionals. Thus, there is no need to talk about the inclusion of procedures in the List of Procedures and Events in Health, and professionals must observe the regulations of the Professional Health Councils and/or the Ministry of Health".

As explained above, based on Law No. 13,989 of 15 April 2020 Which Provides for the use of Telemedicine during the Crisis Caused by the Coronavirus (only available in Portuguese here) ('the Telemedicine Law'), the use of telemedicine was initially authorised, exceptionally and only during the period of the pandemic. It is imperative to note that the practice was regulated in several CRMs, through specific resolutions and technical notes, and it is up to the doctor, who has the faculty to use the model, to pay attention to the passive modalities of telemedicine in each state.

However, the telemedicine regulation scenario might exceptionality be changed, considering Bill No. 1,998/2020 (only available in Portuguese here), which is pending approval and provides for the definitive regulation of telemedicine throughout the Brazilian territory. According to this bill, the Federal Council of Medicine will be able to regulate minimum procedures for telemedicine, such as specific professional training that can be carried out upon the patients' request. By the time this Guidance Note was written, Bill No. 1,998/2020 is still awaiting final approval by the Federal Senate.

Evy Marques Partner
[email protected]
Clarissa Luz Partner
[email protected]
Júlia Ribeiro Associate
Felsberg Advogados, São Paulo
Eduardo Curiati