Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Brazil: Privacy policies under the LGPD

The introduction of a comprehensive data protection law inevitably requires companies to consider more seriously options such as privacy policies which are available to them in their compliance efforts, even if such methods are not made mandatory by law. Renato Opice Blum and Shirly Wajsbrot, Founding Partner and Senior Lawyer respectively at Opice Blum, Bruno, Abrusio e Vainzof Advogados, discuss this issue in the Brazilian context with reference to the incoming Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13853 of 8 July 2019) ('LGPD').

coldsnowstorm / Signature collection / istockphoto.com

General context

The protection of personal data is a subject of recent emphasis in several countries, which already have or are about to pass specific legislation for this purpose. Brazil is an example of a country that has been discussing and has recently enacted a specific law; that being the LGPD, which represents an important milestone in the Brazilian legal system.

The LGPD regulates the processing of personal data by a natural or corporate person under public or private law, with the aim of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.

Since 28 December 2018, and up until the time of publication of this text, the provisions that deal with the creation of the Brazilian data protection authority ('ANPD') and within it the National Council for the Protection of Personal Data and Privacy ('the National Council') have been in force in accordance with the prior amendments to the LGPD. The effectiveness of the other articles of the LGPD is scheduled (at present) for May 2021 (excluding its articles on administrative sanctions, which are set for 1 August 2021), but this still depends on the status of Provisional Measure No. 959 of 29 April 2020, in order for the effective date to be confirmed.

However, depending on the approval or denial of the Provisional Measure, the due date could be kept as it is or changed to August 2020 and August 2021.

Rules and best practice

Regardless of the issue of entry into force, the fact is that companies in all sectors and of all sizes are working against the clock in preparing their compliance plans and privacy policies. This compliance involves, above all, a cultural change for a country like Brazil that until today has not had a very ingrained culture of protection of personal data.

Inspired by the General Data Protection Regulation (Regulation (EU) 2016/679), the Brazilian law has as its central axis the protection of the rights of the data subject, based on principles and requirements that seek to facilitate their access and understanding. To this end, the Article 6 of the LGPD lists ten general principles that shall be considered in the treatment of personal data, in addition to that of good faith. Among these listed principles is the principle of transparency, which guarantees clear and accurate information to data subjects on the treatment and completeness of their personal data, as well as the principle of free access, which guarantees the subject easy and free access to the completeness of their data.

Regarding the principle of free access by the data subject to information on the processing of their data, Article 9 also provides for the fulfilment of certain requirements for its validation, providing that this information shall be made available in a clear, appropriate, and ostensible manner. Furthermore, it adds other requirements such as providing a specific purpose, form, and duration of treatment, identification and contact information of the controller, information on the shared use of the data and its purpose, responsibility of the agents who will carry out the treatment, and explicit mention of the subject's rights provided for in Article 18 of the LGPD.

To enable compliance with the duty of transparency and the subject's free access, it is necessary to create a privacy policy that is directed to the public and which provides general and specific information on the processing of data by that agent in compliance with the requirements set forth in Article 9 of the LGPD.

The privacy policy shall provide transparency to the agent's processing activities, be understandable and objective, and enable the data subject to exercise consent or refusal to collect and/or process their data.

In the case of data processing by legal entities of public law, the LGPD lists the requirements that the privacy policy shall have under Article 23. Among them is the need to provide clear and up-to-date information on the legal base, purpose, procedures, and practices used for these activities. It further determines that this privacy policy must be published in an easily accessible form of media, preferably on their websites.

The privacy policy is the realisation of one of the grounds of data protection, provided for in Article 2, II of the LGPD; that is, the right to informational self-determination. Originally a concept imported from Germany, informational self-determination was acknowledged in a trial on the German Census Law in 1982 and refers to the control that the data subject shall have or, at the least, the possibility of protection over the destination and the methods used, among all the technological options offered, for the collection and processing of his personal data.

In the case of children and adolescents, the LGPD determines that the treatment of their personal data shall be done in their best interest. Under the Child and Adolescent Statute (ECA Law No. 8.069 of 1990), individuals up to 12 years of age are considered to be children and, between 12 and 18 years old, adolescents. The specific and highlighted consent given by at least one of the parents or legal guardian is required when dealing with children's personal data. In addition, the controllers must keep public the information on the types of data collected, the form of its use, and the procedures for exercising the data subject's rights.

In relation to this information on data processing of children and adolescents in the privacy policy, the LGPD provides that they shall be provided in a simple, clear, and accessible way, always considering that the physical-motor, perceptual, sensory, intellectual, and mental health of these data subjects differs from those of adults.

There is no specific format provision for the privacy policy in the LGPD, neither for adults nor for children, but it is possible to use audio-visual resources when necessary for the child's understanding.

In fact, there is not even an explicit mention to a mandatory privacy policy, despite the fact that it is already a widespread practice in Europe, and is indeed the most effective way of rendering accounts and guaranteeing the protection of data subjects' rights, in doing so, complying with the requirements set forth in the LGPD.

Renato Opice Blum Founding Partner
[email protected]
Shirly Wajsbrot Senior Lawyer
[email protected]
Opice Blum, Bruno, Abrusio e Vainzof Advogados, São Paulo