August 2023 

1. Governing Texts

Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') was passed in 2018 and entered into effect on September 18, 2020.

The LGPD is a comprehensive data protection law that covers the activities of data controllers and processors and creates requirements for the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer ('DPO') appointments, Data Protection Impact Assessments ('DPIA'), data transfers, data breaches, data subject rights, and the establishment of the Brazilian data protection authority ('ANPD'). The approval of the Constitutional Amendment n. 115 (only available in Portuguese here) to the Constitution of the Federative Republic of Brazil added the individual right to personal data protection to the list of fundamental rights and guarantees.

1.1. Key acts, regulations, directives, bills

• LGPD.
• Law No. 10.406 of 10 January 2002 for the Civil Code (only available in Portuguese here);
• Law No. 8.078 of 11 September 1990 Which Provides for Consumer Protection (only available in Portuguese here) ('the Consumer Protection Code');
• Legislative Decree No. 2848 of 7 December 1940 for the Criminal Code (only available in Portuguese here);
• ANPD's Resolution No 1/2021 of 28 October 2021 for the regulation of the Supervisory and Administrative Sanctioning Process within ANPD (only available in Portuguese here) ('ANPD Resolution No. 1/2021');
• ANPD's Resolution No 2/2022 of 27 January 2022 for the regulation of the applicability of LGPD for small-size data processing agents (only available in Portuguese here) ('ANPD Resolution No. 2/2022');
• ANPD's Resolution No 4/2023 of 24 February 2023 for the regulation of the dosimetry and application of administrative penalties (only available in Portuguese here) ('ANPD Resolution No. 4/2023'); and
• ANPD's Statement No 1/2023 of 22 May 2023 on the processing of personal data of children and adolescents (only available in Portuguese here) ('ANPD Statement No. 1/2023').

1.2. Guidelines

The ANPD has issued the following guidance:

• Technical Note No. 4/2023 - Technical opinion from the General Coordination of Technology and Research regarding compliance alignment with the LGPD and its application in the pharmaceutical retail sector (only available in Portuguese here) ('Pharmaceutical sector Technical Note');
• Guidance on Cookies and Personal Data Protection (Cookies Guideline) (only available in Portuguese here);
• Guidelines to the definition of data processing agents and the data protection officer (version 2.0 – April 2022) (Data Processing Agent's Guideline) (only available in Portuguese here) ('the Guidance');
• Guidelines to information security for small-size data processing agents (version 1.0 – October 2021) (only available in Portuguese here) ('Small size agents Guideline');
• Guidelines to the application of the LGPD by data processing agents in the electoral context (2021) (only available in Portuguese here); and
• Guidelines to the data processing by public agents (version 1.0 – January 2022) (only available in Portuguese here).

1.3. Case law

On May 2021, a decision issued by the Brazilian Federal Supreme Court ('STF') suspended the effect of the Provisional Measure No. 954/2018 (only available in Portuguese here) which obligated telecom companies to share the mobile number and addresses of its customers with the Brazilian Institute of Geography and Statistics ('IBGE') for use in official statistics. The grounds for the court's decision recognized the right to data protection as an autonomous and fundamental right, being an important milestone in the Brazilian legal privacy landscape.

On March 2023, the Brazilian Superior Court of Justice ('STJ') adopted an unprecedented decision in which it considered that the leak of simple personal data does not, by itself, generate compensation for moral damages. The ministers judged the case of a customer of the energy concessionaire Enel São Paulo, who sought compensation for the leak and improper sharing of her personal data. The sentence denied the request but was reformed by the Court of Justice of the State of São Paulo. On appeal, the company took the matter to the STJ, which held that the leaked information is provided in any registration, not being protected by secrecy and, for this very reason, access by third parties would not violate the right to personality of the data subject. In the words of the rapporteur minister, 'the leak of personal data, despite being an undesirable failure in the processing of data of a natural person by a legal entity, does not have the power, by itself, to generate compensable moral damage. That is, moral damage is not presumed, and it is necessary that the holder of the data prove any damage arising from the exposure of such information'.

2. Scope of Application

2.1. Personal scope

The LGPD provides for the processing of personal data, including by digital means, by a natural person or a legal entity of either public or private law, with the purpose of protecting the fundamental rights of freedom and privacy as well as the free development of the personality of the natural person (Article 1 of LGPD).

2.2. Territorial scope

The LGPD has extraterritorial application, being applicable to any individual or legal entity governed by public or private law irrespective of the means, the country in which its headquarters is located, or the country in which the data is located, provided (Article 4 (IV) of the LGPD):

• the processing operation is carried out in the national territory.
• the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; and
• the personal data being processed was collected in the national territory.

According to Article 3(§1) of the LGPD, data collected in the national territory is considered to be those whose data subject is in the national territory at the time of collection, regardless of nationality, residence, or citizenship.

2.3. Material scope

The LGPD applies to the processing of personal data, including by digital means, carried out by a natural person or by a public or private legal entity (Article 1 of the LGPD). The following data processing activities are exempted from the application of the LGPD (Article 4 of the LGPD):

• processing carried out by a natural person, exclusively for private and non-economic purposes.
• processing for journalistic and artistic purposes.
• processing for academic purposes (but observing the rules foreseen in Articles 7 and 11 of the LGPD).
• processing carried out with the exclusive purpose of public safety, national defense, state security, or investigation activities and prosecution of criminal offenses; or
• processing activities of personal data originating outside of Brazil, from countries that provide an adequate level of data protection (compared with the LGPD) are not subject to the LGPD, since this personal data is not shared or communicated with Brazilian processing agents.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The ANPD is the main regulator. The ANPD is an autonomous body of public administration, linked to the Ministry of Justice and Public Security, and is composed of (Article 55(C) of the LGPD):

• board of directors, as the highest body of direction;
• National Board of Personal Data Protection and Privacy;
• internal affairs office;
• ombudsman;
• legal advisory body; and
• other administrative and specialized units required for the enforcement of the LGPD.

The board of directors of the ANPD is composed of five directors, including the President Director, all of them nominated by the President of the Republic, and must be Brazilians with an unblemished reputation, a high level of education, and a great reputation in the field of specialization of the position for which they will be nominated for.

The members of the National Board of Personal Data Protection and Privacy were nominated in August of 2021 for a two-year mandate (only available in Portuguese here).

3.2. Main powers, duties and responsibilities

The ANPD is responsible for the enforcement of the LGPD and has the following powers available to ensure the protection of individuals' data (Article 55(J) of LGPD):

• supervise the protection of personal data, including through the conduction of inspections, or the determination of their occurrence;
• supervise commercial and industrial secrets, observing the protection of personal data and the secrecy of information when protected by law or when the breach of secrecy violates the fundamentals of the LGPD;
• develop guidelines for the protection of personal data and national privacy policy;
• receive and process data subject claims against the controllers (after being submitted to the controller and not solved according to the LGPD);
• decide how data processing agents could be transparent regarding personal data processing activities;
• request, from public authorities that carry out personal data processing activities, information regarding the scope and nature of the data and other details of the processing, with the possibility to issue technical opinions to ensure compliance with the LGPD;
• amend privacy and personal data protection regulations and procedures, including regarding DPIAs;
• listen to data processing agents and society in matters of relevant interest;
• collect and apply its revenue and publish a detailed report regarding its revenue expenses;
• conclude agreements with data processing agents to eliminate irregularities, legal uncertainties, or litigious situations in administrative proceedings;
• enact rules, guidelines, and simplified procedures, including regarding deadlines, for small and micro companies, start-ups, and innovative businesses to help them achieve compliance with the LGPD;
• ensure that processing activities of personal data from elderly people are carried out in a simple, clear, accessible, and adequate manner to their understanding;
• decide, at an administrative level, on the LGPD's interpretation, its competencies, and cases in which it is silent;
• implement simplified mechanisms, including by electronic means, for the registration of complaints about personal data processing that is non-compliant with the LGPD;
• inspect and sanction cases of data processing that are non-compliant with the LGPD through administrative proceedings that ensure the right to adversary proceedings, full defense, and the right to appeal;
• report to the appropriate authorities the criminal offenses that come to their knowledge;
• report to the internal affairs bodies any non-compliance with the LGPD by bodies and entities of federal public administration;
• disseminate throughout society knowledge about legal norms and policy on personal data protection and its security measures;
• encourage the adoption of standards for services and products that facilitate the control and the protection of personal data by their subjects, considering the specificities of the activities and the size of controllers;
• prepare studies about national and international practices on personal data protection and privacy;
• promote actions of cooperation with personal data protection authorities from other countries, of international or transnational nature; and
• draft managing reports on its annual activities.

4. Key Definitions

Data controller: Natural person or legal entity, governed by public or private law, in charge of making decisions about the processing of personal data (Article 5(VI) of LGPD).

Data processor: Natural person or legal entity, governed by public or private law, which processes personal data in the name of the controller (Article 5(VII) of LGPD).

Personal data: Information related to an identified or identifiable natural person (Article 5(I) of LGPD).

Sensitive data: Personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious affiliation, or philosophical or political organization membership, as well as data relating to health or sex life, or genetic or biometric data, when related to a natural person (Article 5(II) of LGPD).

Health data: There is no definition under the law.

Biometric data: There is no definition under the law.

Pseudonymisation: The processing by means of which a data loses the possibility of direct or indirect association to an individual, unless for the use of additional information separately kept by the controller in a controlled and safe environment (Article 13(§ 4º) of LGPD).

Data protection officer: Person appointed by the controller and processor to act as a communication channel between the controller, data subjects, and the ANPD (Article 5(VIII) of LGPD).

Anonymisation: Use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of a direct or indirect association to an individual (Article 5(XI) of LGPD).

5. Legal Bases

5.1. Consent

Consent must be a free, informed, and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose and can be applied to 'regular' personal data and sensitive personal data (Articles 7, 11, and 14 of the LGPD). In addition, in the case of processing sensitive data based on consent, it is necessary that the consent be obtained in a specific and highlighted form, as provided in Article 11(I) of LGPD. It is recommended that the authorization be included separately from the main text or; furthermore, that resources be used to highlight the consent, and to indicate which sensitive data will be collected and for which specific purpose the same will be used by the processing agent.

Regarding consent, the ANPD in its Cookies Guidance points out that:

Free: The freedom of consent is conditioned to the effective possibility of the data subject to accept or refuse the use of their data, without negative consequences or interventions by the controller that may vitiate or impair their manifestation of will. Thus, the 'forced' consent, which is conditioned on full acceptance of conditions, without the provision of effective options to the data subjects, renders the consent invalid.

Informed: Consent must also be informed, requiring that the data subjects be presented with all the necessary information to make an informed assessment and decision. Thus, the data subject must be provided with clear, precise, and easily accessible information about the form of the processing, the retention period, and the specific purposes that justify the collection of their data, among other information indicated in Article 9 of the LGPD.

Any change in the purposes adopted to obtain consent changes the legal assumption adopted, requiring new consent by the data subject, or the use of another legal basis, according to the new purpose established and with all the necessary information for this purpose. Consent must also be unequivocal, which requires obtaining a clear and positive manifestation of will from the data subject, not being based on inference or obtained in a tacit way or from an omission from the data subject. Therefore, the use of pre-selected authorization options or the adoption of tacit consent mechanisms is not recommended.

It is important to note that it is the controller's responsibility to prove that consent has been obtained respecting all the parameters established by the LGPD. Thus, it is good practice to record and document all the requirements necessary to prove that the consent is unbiased and contains all the necessary information.

5.2. Contract with the data subject

Applicable to data processing activities necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject (Articles 7, 11, and 19 of the LGPD).

5.3. Legal obligations

Personal data and sensitive data can be processed for compliance with a legal or regulatory obligation by the controller (Article 7(II) of the LGPD).

5.4. Interests of the data subject

There are no specific legal bases to process personal data to pursue the interests of the data subject. However, the legitimate interest of the data controller can be applied in situations to protect the regular exercise of their rights or the provision of services that benefits them.

For more details, please see the section on the legitimate interests of the data controller below.

5.5. Public interest

There are no specific legal bases to process personal data to pursue public interests. However, public administration can process personal data when necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments (Article 7(III) of the LGPD).

5.6. Legitimate interests of the data controller

The legitimate interest of the data controller or data subject cannot be applied to process sensitive data, and when supporting a processing activity on this legal base the data controller need to (Article 7(IX) of the LGPD):

• guarantee that the personal data being processed is strictly necessary for the intended purpose; and
• adopt measures to ensure transparency of data processing based on its legitimate interests.

Regarding legitimate interests, the ANPD in its Cookies Guidance points out that:

• the interest of the controller will be considered legitimate when it is compatible with the legal system and does not conflict with the provisions of the law. The controller must assess, prior to entering into any transaction based on legitimate interest, whether, in the case in question, the fundamental rights and freedoms of the data subject that require protection of personal data prevail and therefore prevent the processing from taking place;
• it is important to prove the adoption of technical and administrative measures capable of safeguarding the operation and the data used, ensuring the security of the processing and transparency for the data subjects; and
• in order for processing to be appropriate, the controller must be sure that the intended use does not infringe rights and freedoms and could be reasonably foreseen by the data subject, that is, that it would be possible for the data subject to suppose that the use could occur with their personal data from the information provided by the controller at the time of collection of the personal data.

On August 16, 2023, the ANPD released its preliminary study on the legal basis of legitimate interest (only available in Portuguese here) and is requesting public comments.

5.7. Legal bases in other instances

Other legal bases to process personal data are (Article 7 of the LGPD):

• for carrying out studies by research bodies;
• regular exercise of rights in judicial or administrative lawsuits or arbitration proceedings;
• regular exercise of rights in a contract (specific for sensitive data);
• protection of the life or of the physical safety of the data subject or a third party;
• credit protection, which cannot be applied to sensitive data;
• fraud prevention and to guarantee security to the data subject (specific for sensitive data); and
• protection of health, only applying however to procedures carried out by health professionals, health services, or sanitary authorities.

6. Principles

Article 6 of the LGPD foresees that any activities of processing personal data should be performed observing the following principles (Article 6 of the LGPD):

• good faith;
• purpose: processing for legitimate, specific, and explicit purposes informed to the data subject, without any possibility of further processing inconsistent with these purposes;
• adequacy: compatibility of the processing with the purposes informed to the data subject, in accordance with the context of the processing;
• necessity: limitation of the processing to the minimum necessary to achieve its purposes, covering data that is relevant, proportionate, and non-excessive in relation to the purposes of the data processing;
• free access: guarantee to the data subjects of facilitated and free-of-charge consultation about the form and duration of the processing, as well as about the integrity of their personal data;
• data quality: guarantee to the data subjects of the accuracy, clarity, relevancy, and updating of the data, in accordance with the need and for achieving the purpose of the processing;
• transparency: guarantee to the data subjects of clear, precise, and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy;
• security: use of technical and administrative measures able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination;
• prevention: adoption of measures to prevent the occurrence of damage as a result of the processing of personal data;
• non-discrimination: the impossibility of processing data for discriminatory, unlawful, or abusive purposes; and
• accountability: proof, by the controller or processor, of the adoption of effective measures able to prove observance of and compliance with the personal data protection rules, as well as of the effectiveness of these measures.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no obligation to notify data processing activities.

7.2. Data transfers

The international transfer of personal data is permitted solely in the following cases (Article 33 of the LGPD):

• to countries or international organizations that provide an appropriate level of protection of personal data provided for by the LGPD;
• when the controller provides and demonstrates guarantees of compliance with the principles and rights of the data subject and data protection regime established in the LGPD, in the form of:
  • specific contractual sections for a given transfer;
  • Standard Contractual Clauses ('SCCs');
  • Binding Corporate Rules ('BCRs'); and
  • seals, certificates, and codes of conduct regularly issued;
• when the transfer is required for international legal cooperation between government intelligence, investigations, and police bodies, in accordance with international law instruments;
• when the transfer is required for the protection of the life or physical integrity of the data subject or any third party;
• when the ANPD authorizes such transfer;
• when the transfer results in a commitment undertaken under an international cooperation agreement;
• when the transfer is required for the enforcement of a public policy or legal attribution of the public utility, upon disclosure of the provisions of item I of the main provision of Article 23 of the LGPD;
• when the data subject has provided specific and highlighted consent for such transfer, with prior information on the international nature of the operation, clearly distinguishing it from any other purposes;
• when necessary to comply with a legal or regulatory obligation by the controller;
• when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject; or
• to allow the regular exercise of rights in judicial, administrative, or arbitration procedures.

There are no specific requirements for outsourcing. It is not prohibited under the LGPD; however, if it involves cross-border transfers of personal data, the rules under the LGPD must be observed.

The ANPD announced, on May 28, 2022, that as of the same date, it is accepting comments and submissions for the preparation of regulations on international data transfers going forward, open public hearings to debate the subject, as well as building these standards together with society.

7.3. Data processing records

The controller and the processor should maintain a record of the personal data processing operations they carry out, especially where they are based on a legitimate interest (Article 37 of the LGPD). There are no requirements on which kind of information should be registered in these records. For small-size data processing agents (as defined by ANPD Resolution No. 2/2022), there will be a simplified template to comply with the obligation to register the data processing activities. On November 4, 2022, the ANPD opened a call to receive contributions from society about the construction of this template. However, the final template has not yet been published.

7.4. Data protection impact assessment

The ANPD may require the controller to prepare a DPIA relating to its data processing operations, as provided for by the regulations, with due regard to commercial and industrial secrecy (Article 10(§3º) of the LGPD). This DPIA should contain at least a description of the types of data collected, the methodology used for collection and as a guarantee for the security of the information, an analysis of the controller in relation to the measures, safeguards, and risk mitigation mechanisms adopted (Article 38 of the LGPD).

On April 6, 2023, the ANPD published a new page on its website for clarifications on the DPIA, with 15 questions and answers on the subject (only available in Portuguese here), but has yet not regulated this matter.

7.5. Data protection officer appointment

A DPO must be appointed by controllers. The ANPD could exempt controllers from appointing a DPO according to the nature and the size of the entity or the volume of data processing operations (Articles 41 and 41(§ 3º) of LGPD). The identity and contact details of the DPO must be publicly, clearly, and objectively disclosed, preferably on the controllers' website. The activities of the DPO consist of the following (Article 41(§ 1º) of the LGPD):

• to accept complaints and communications from data subjects, provide clarifications, and take measures;
• to receive communications from the supervisory authority and take measures;
• to instruct the employees and contractors of the entity on the practices to be adopted in relation to personal data protection; and
• to carry out any other duties established by the controller or in supplementary rules.

Professional qualifications

As a best practice, it is considered important that the DPO has freedom in carrying out their assignments. With regard to their professional qualifications, these must be defined by a value judgment made by the controller that indicates it, considering the knowledge of data protection and information security at a level that meets the needs of the organization's operation (Topic 6 (6.1) (72) of the Guidance).

Therefore, while the LGPD does not prevent the same DPO from acting on behalf of different organizations, it is important that they are able to carry out their duties efficiently. Thus, before appointing a DPO, the controller must consider whether they will even be able to meet their demands and those of other organizations at the same time. Responsibility for the activities of processing personal data remains the responsibility of the controller or operator of data, as established in Article 42 of the LGPD (Topic 6 (6.1) (74) of the Guidance).

The DPO must also have adequate resources to carry out their activities, which may include Human Resources. Other features that should be considered are time (deadlines appropriate), finance, and infrastructure (Topic 6 (6.1) (73) of the Guidance).

Small-size data processing agents

Small-size data processing agents (as defined by ANPD Regulation No. 2/2022), are exempt from the obligation to appoint a DPO, although its appointment will be considered as an application of best practices and data protection governance as foreseen in Article 52(§1º) (IX) of LGPD.

7.6. Data breach notification

The controller must notify the ANPD and data subjects of the occurrence of any security incident that may result in any relevant risk or damage to the data subjects (Article 48 of LGPD).

The content of the notice, must at a minimum, contain the following information (Article 48(§ 1º) of LGPD):

• a description of the nature of the affected personal data;
• information on the data subjects involved;
• indication of the technical and security measures used for data protection, with due regard for trade and industrial secrets;
• the risks relating to the incident;
• the reasons for the delay, in case the notice is not immediate; and
• the measures that were or shall be adopted to reverse or mitigate the effects of the loss.

The ANPD released an orientation and security incident reporting form (only available in Portuguese here).

For small-size data processing agents (as defined by ANPD Regulation No. 2/2022), there will be a flexible and simplified procedure to report data breaches (not published yet).

On May 2, 2023, the ANPD published a Public Consultation on the draft resolution on the Regulation of Personal Data Security Incident Reporting but has not yet published the final resolution.  

Furthermore, Resolution No. 4.658/2018 of the Brazilian Central Bank (only available in Portuguese here) for financial entities to establish specific requirements for cloud computing agreements.

7.7. Data retention

Each sector has it owns rules related to data retention. The LGPD only sets forth that data shall be stored for the shortest period of time possible and cannot be processed after the purpose for its processing has been accomplished. Moreover, the ANPD may regulate the period of time in which controllers and processors must keep their records of processing activities (Article 40 of LGPD).

7.8. Children's data

The processing of personal data of children and adolescents to be carried out for their best interest (Article 14 of LGPD). According to the Brazilian Child and Adolescent Statute (only available in Portuguese here) children describe individuals of less than 12 years old, and adolescents as individuals that are older than 12 years old but younger than 18 years old.

Also, to process the personal data of children, LGPD requires the collection of specific and explicit consent provided by at least one of the parents or legal guardians. An exception could be applied when the collection is necessary to contact the parents or the legal guardian, used a single time and without storage, or for their protection, and where they cannot be transferred to third parties under any circumstance, without the aforementioned consent (Article 14(§ 1º) of the LGPD).

However, on May 22, 2023, ANPD published Statement No. 1/2023 establishing that the processing of personal data of children and adolescents can be carried out based on any of the legal basis provided in Article 7 or in Article 11 of LGPD, as long as their best interest is observed and prevails, to be evaluated in the specific case, under the terms of Article 14 of the LGPD. The Statement is a kind of deliberative instrument with the purpose of interpreting the personal data protection legislation, being an act of the ANPD and that has binding effects on the ANPD.

7.9. Special categories of personal data

Controllers are also required to have an appropriate legal basis in order to be allowed to process sensitive personal data, as summarized below (Article 11 of the LGPD):

• consent;
• compliance with a legal or regulatory obligation;
• shared processing of data necessary for the execution, by the public administration, of public policies provided for in laws or regulations;
• for carrying out studies by research bodies;
• regular exercise of rights in lawsuits or administrative or arbitration proceedings or in a context of a contract;
• protection of the life or of physical safety;
• protection of health (only applied to procedures carried out by health professionals, health services, or sanitary authorities); and
• fraud prevention and guarantee the security of the data subject.

7.10. Controller and processor contracts

There are no specific rules on controller and processor agreements under the LGPD, the only requirement is that a data processor should follow all the instructions provided by the data controller. It is for the data controller to verify compliance with its instructions and the regulations related to data protection. It is worth mentioning that ANPD emphasizes that the position of a data processing agent as a controller or processor is determined by your concrete actions in a specific context and not by a formal designation (for example, in a contract).

8. Data Subject Rights

The LGPD establishes the following rights for data subjects (Article 18 of the LGPD):

• confirmation of the existence of processing;
• access to data;
• correction of incomplete, inaccurate, or outdated data;
• anonymization, blocking, or elimination of unnecessary or excessive data or of data processed in non-compliance with the provisions of the LGPD;
• portability of the data to other service providers or suppliers of products, by the means of an express request, pursuant to the regulations of the ANPD, and subject to commercial and industrial secrecy;
• elimination of the personal data processed with the consent of the data subjects, except in the cases set forth in Article 16 of the LGPD;
• information on the public and private entities with which the controller has shared data;
• information on the possibility of not providing consent and on the consequences of such denial;
• revocation of the consent, pursuant to the provisions of Article 8(5) of the LGPD; and
• review of decisions based on the processing of personal data carried out exclusively by automated means.

The rights of confirmation of the existence of processing and access to data must be addressed by the controller immediately when in a simplified format or up to 15 days when in a clear and complete declaration (Article 19(II) of LGPD). For the other data subject rights, the ANPD must regulate the appropriate timeframe that should be observed by data controllers (Article 19 (§4º) of the LGPD).

8.1. Right to be informed

The LGPD specifies that data subjects have the right of access to information concerning the processing of their personal data (Article 9 of the LGPD). The LGPD does not explicitly refer to a difference in requirements for the right to be informed when personal data is obtained directly from the data subject or third party.

8.2. Right to access

The LGPD provides that data subjects have the right to obtain, at any time and by means of request, information regarding the data subject's personal data that is being processed (Article 18 of the LGPD).

8.3. Right to rectification

The LGPD provides that data subjects have the right to the correction of incomplete, inaccurate, or out-of-date data, at any time and by means of request (Article 18(III) of the LGPD).

8.4. Right to erasure

This right is to be exercised upon request when the processing is considered unnecessary, or excessive or when the data is processed in non-compliance with the provisions of the LGPD. Also, data subjects have the right to request the removal of their personal data which is processed under the legal base of consent (Article 18(VI) of the LGPD), with an exception applied to data stored for:

• compliance with legal or regulatory obligations by the controller;
• studies by a research body ensured, whenever possible, the anonymization of personal data; and
• transfer to third parties, provided that in compliance with the data processing requirements set forth by LGPD.

8.5. Right to object/opt-out

Also, in case of non-compliance with LGPD, data subjects have the right to object to processing activities founded on a legal basis other than consent (Article 18(§ 2º) of the LGPD).

8.6. Right to data portability

The data subject has the right to request the review of decisions made solely based on automated processing of personal data affecting their interests, including decisions intended to define their personal, professional, consumer, and credit profile, or aspects of their personality (Article 20 of the LGPD).

8.7. Right not to be subject to automated decision-making

The LGPD outlines that a data subject can request the blocking of unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD (Article 18(IV) of the LGPD). Under the LGPD, the right to restriction is referred to as 'blocking' which the LGPD is defined as the temporary suspension of any processing operation, by means of retention of the personal data or the database (Article 5(XIII) of the LGPD).

8.8. Other rights

Not Applicable.

9. Penalties

Under the LGPD, the following sanctions may be imposed (Article 51 of the LGPD):

• warnings, with an indication of a term for the adoption of corrective measures;
• simple fines of up to 2% of the sales revenue of the legal entity of private law, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in the aggregate, to BRL $50 million (approx. $10 million) per infraction;
• daily fines, with due regard for the total limit referred to in item two;
• disclosure of the infraction after it has been duly investigated and its occurrence has been confirmed;
• blockage of the personal data to which the infraction relates, until its regularization;
• elimination of the personal data to which the infraction relates.
• partial suspension of the functioning of the databases which are the subject of the non-compliant action for up to six months, extendable for a further six months; and
• partial or total prohibition to execute activities related to data processing.

The sanctions will be applied after an administrative procedure that allows for the opportunity of broad defense, in a gradual, isolated, or cumulative manner, according to the peculiarities of the concrete case and considering the following parameters and criteria:

• gravity and nature of the infractions and the personal rights affected;
• violator's good faith;
• the advantage obtained or intended by the violator;
• the economic condition of the violator;
• recidivism;
• degree of the damage;
• cooperation of the violator;
• reiterated and proven adoption of internal mechanisms and procedures capable of minimizing the damage;
• adoption of a policy of good practices and governance;
• prompt adoption of corrective measures; and
• proportionality between the seriousness of the fault and the intensity of the sanction.

The application of administrative sanctions will occur based on clear and established requirements, according to the criteria and parameters for pecuniary and non-pecuniary sanctions by the ANPD, as well as the forms and metrics for calculating the basic amount of the fines defined by Resolution No 4/2023.

9.1 Enforcement decisions

The ANPD imposed to Telekall Inforservice:

• a warning, without corrective measures, for violation of Article 41 of the LGPD;
• a fine of BRL 7,200 (approx. $1,469), for violation of Article 7 of the LGPD; and
• a fine of BRL 7,200 (approx. $1,469), for violation of Article 5 of the Regulation.