In the LGPD, the consent of the data subject is an essential element for processing, an exception to the rule in the cases provided for in art. 11, II, of the Law.
And here it is important to note: the law provides several guarantees to the user, such as: being able to request that their personal data be deleted; revoke consent; transfer data to another service provider, among other actions. Data processing must be done taking into account certain requirements, such as purpose and need, to be previously agreed upon and informed to the holder.
How the inspection works
To monitor and apply penalties for non-compliance with the LGPD, Brazil has the National Personal Data Protection Authority (ANPD). The institution is responsible for regulating and providing preventive guidance on how to apply the law in general.
However, the General Personal Data Protection Law gambling data austria also provides for the existence of data processing agents and stipulates their functions in organizations, such as: the controller, who makes decisions about the processing; the operator, who carries out the processing on behalf of the controller; and the person in charge, who interacts with the holders of personal data and the national authority.
Regarding risk and failure management, the person responsible for managing personal data must also draft governance standards; adopt preventive security measures; replicate good practices and certifications existing in the market; prepare contingency plans; conduct audits; resolve incidents quickly, with immediate notice of violations to the ANPD and to affected individuals.
And the next paragraph demands close attention:
Security breaches can result in fines of up to 2% of an organization's annual revenue in Brazil – capped at R$50 million per violation. The national authority will set penalty levels according to the severity of the breach and will send alerts and guidance before imposing sanctions on organizations.
Small businesses need special treatment
According to Sebrae, the intention is not to exempt small businesses from the responsibility of protecting personal data, but rather to ensure that their specificities are observed (as provided for in the Brazilian Constitution). The changes are an important instrument to help small businesses, which account for 99% of Brazilian enterprises, that is, a universe of more than 17 million companies.
“Individual microentrepreneurs and small businesses need to be treated equally, precisely because they do not have the size and budget of large companies. It is a question of balance and increasing the effectiveness of the law,” highlights Carlos Melles, president of Sebrae.
The new rules that came into effect in January 2022 apply to:
micro and small businesses,
startups;
non-profit organizations.
Small businesses will not benefit from the flexibility of the LGPD in 2 main scenarios:
1. Treatment of high-risk data
The new rules do not apply when the processing is considered to be of high risk to the data subjects. A processing may be considered to be of high risk when it meets, cumulatively, at least one general criterion and one specific criterion:
General criteria
when the processing of personal data is carried out on a large scale;
the processing of personal data may significantly affect the interests and fundamental rights of data subjects.
Specific criteria
use of emerging or innovative technologies;
surveillance or control of areas accessible to the public;
decisions taken solely on the basis of automated processing of personal data , including those intended to define the personal, professional, health, consumer and credit profile or aspects of the data subject's personality;
use of sensitive personal data or personal data of children, adolescents and the elderly.
There are still doubts about what may or may not be considered high-risk treatment. For this reason, the Resolution states that the ANPD may provide guides and guidance with the aim of assisting small-scale treatment agents in assessing high-risk treatment.
To characterize large-scale processing, factors such as the number of data subjects, the volume of personal data involved, duration, frequency and geographical extent of the processing carried out must be considered. |
