The General Data Protection Law (LGPD) came into effect last Friday – September 18th – making Brazil one of the 101 nations in the world to have specific and well-defined rules associated with the processing of personal data of Brazilian citizens or who are in the country.
Read too: What is AMP technology and how to configure your website to be faster
The legislation defines data processing as any operation carried out with personal data, from collection, through use and storage, to distribution, modification and deletion. In addition, it determines a series of issues related to data, such as their categorization, granting more autonomy to holders, hypotheses of collection and treatment, detailing of special conditions for sensitive data, definition of obligations of private companies and public bodies, as well as penalties in case of non-compliance with the rules.
The LGPD also provides for the formation of the National Data Protection Authority (ANPD), a body associated with the federal government that will be responsible for overseeing the application of the law and applying punishments to those who disrespect it. However, this body does not yet exist.
What is the obligation of companies with the General Data Protection Law
When collecting data, companies need to inform the purpose. The law anticipates a series of obligations for organizations that need to keep records of all treatment activities, so that they can be known through the request of the holders or verified in case of irregularities by the National Authority. When organizations receive a request from the holder, the response must be given within 15 days.
Organizations need to take measures to ensure data security and notify the data subject in the event of an incident. This determination applies to all those responsible for the treatment network. If a controller manages data to someone, he may be held responsible and will have to bear the damage.
Read too: Understand what is and what are the types of SSL certification
General Data Protection Law: sanctions and inspection
The General Data Protection Law lists a series of sanctions in case of violation of the established norms, among them:
– Warning, with the possibility of corrective measures;
– Fine of up to 2% of billing with a limit of up to R$ 50 million;
– Blocking or deletion of personal data related to the irregularity;
– Partial suspension of the operation of the database;
– Partial or total prohibition of the processing activity.