GENERAL PERSONAL DATA PROTECTION LAW. (LGPD)
CHAPTER I
PRELIMINARY PROVISIONS
Art. 1 This Law provides for the processing of personal data, including in digital media, by a natural person or by a legal entity governed by public or private law, with the aim of protecting the fundamental rights of freedom and privacy and the free development of the person's personality. Natural.
Single paragraph. The general rules contained in this Law are of national interest and must be observed by the Union, States, Federal District and Municipalities. (Included by Law No. 13,853 of 2019) Validity
Art. 2nd The discipline of personal data protection is based on:
I - respect for privacy;
II - informative self-determination;
III - freedom of expression, information, communication and opinion;
IV - the inviolability of intimacy, honor and image;
V - economic and technological development and innovation;
VI - free enterprise, free competition and consumer protection; and
VII - human rights, the free development of personality, dignity and the exercise of citizenship by natural persons.
Art. 3 This Law applies to any processing operation carried out by a natural person or by a legal entity governed by public or private law, regardless of the medium, the country of its headquarters or the country where the data are located, provided that:
I - the treatment operation is carried out in the national territory;
II - the processing activity has the objective of offering or providing goods or services or the processing of data of individuals located in the national territory; or (Wording provided by Law No. 13,853, of 2019) Validity
III - the personal data being processed have been collected in the national territory.
§ 1 Personal data whose holder is there at the time of collection are considered collected in the national territory.
§ 2. The data processing provided for in item IV of the caput of art. 4 of this Law.
Art. 4 This Law does not apply to the processing of personal data:
I - carried out by a natural person for exclusively private and non-economic purposes;
II - carried out for the exclusive purposes:
a) journalistic and artistic; or
b) academics, applying to this hypothesis the arts. 7 and 11 of this Law;
III - carried out for the exclusive purposes of:
a) public safety;
b) national defense;
c) State security; or
d) investigation and prosecution of criminal offenses; or
IV - coming from outside the national territory and which are not the object of communication, shared use of data with Brazilian processing agents or object of international data transfer with another country other than the country of origin, provided that the country of origin provides a degree of protection of personal data appropriate to the provisions of this Law.
§ 1 The processing of personal data provided for in item III shall be governed by specific legislation, which shall provide for measures that are proportionate and strictly necessary to meet the public interest, observing due legal process, the general principles of protection and the rights of the holder provided for in this Law. .
§ 2 The processing of the data referred to in item III of the caput of this article by a person governed by private law is prohibited, except in procedures under the tutelage of a legal entity governed by public law, which will be subject to a specific report to the national authority and which must comply with the limitation imposed in § 4 of this article.
§ 3 The national authority will issue technical opinions or recommendations regarding the exceptions provided for in item III of the caput of this article and shall request from those responsible for impact reports on the protection of personal data.
§ 4 In no case shall the totality of the personal data in the database referred to in item III of the caput of this article be processed by a person governed by private law, except for one whose capital is fully constituted by the public power. (Wording provided by Law No. 13,853, of 2019) Validity
Art. 5 For the purposes of this Law, it is considered:
I - personal data: information related to an identified or identifiable natural person;
II - sensitive personal data: personal data about racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data referring to health or sexual life, genetic or biometric data, when linked to a natural person;
III - anonymized data: data relating to the data subject that cannot be identified, considering the use of reasonable technical means available at the time of its treatment;
IV - database: structured set of personal data, established in one or several places, in electronic or physical support;
V - holder: natural person to whom the personal data that are processed;
VI - controller: natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data;
VII - operator: natural or legal person, governed by public or private law, who processes personal data on behalf of the controller;
VIII - person in charge: person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD); (Wording provided by Law No. 13,853, of 2019) Validity
IX - treatment agents: the controller and the operator;
X - treatment: any operation carried out with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification , communication, transfer, diffusion or extraction;
XI - anonymization: use of reasonable technical means available at the time of treatment, through which data loses the possibility of association, directly or indirectly, with an individual;
XII - consent: free, informed and unequivocal expression by which the holder agrees with the processing of his personal data for a specific purpose;
XIII - blocking: temporary suspension of any processing operation, by keeping personal data or the database;
XIV - elimination: deletion of data or a set of data stored in a database, regardless of the procedure used;
XV - international data transfer: transfer of personal data to a foreign country or international organization of which the country is a member;
XVI - shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared treatment of personal data banks by public bodies and entities in the fulfillment of their legal competences, or between these and private entities, reciprocally, with specific authorization , for one or more treatment modalities allowed by these public entities, or between private entities;
XVII - impact report on the protection of personal data: controller documentation that contains a description of the personal data processing processes that may generate risks to civil liberties and fundamental rights, as well as measures, safeguards and risk mitigation mechanisms;
XVIII - research body: body or entity of the direct or indirect public administration or non-profit legal entity of private law legally constituted under Brazilian laws, with headquarters and jurisdiction in the country, which includes in its institutional mission or in its social or statutory basic or applied research of a historical, scientific, technological or statistical nature; and (Wording provided by Law No. 13,853, of 2019) Validity
XIX - national authority: public administration body responsible for overseeing, implementing and monitoring compliance with this Law throughout the national territory. (Wording provided by Law No. 13,853, of 2019) Validity
Art. 6 The personal data processing activities must observe good faith and the following principles:
I - purpose: carrying out the treatment for legitimate, specific, explicit and informed purposes to the holder, without the possibility of further processing in a way incompatible with these purposes;
II - adequacy: compatibility of the treatment with the purposes informed to the holder, according to the context of the treatment;
III - necessity: limitation of the treatment to the minimum necessary for the accomplishment of its purposes, with coverage of the relevant, proportional and not excessive data in relation to the purposes of the data processing;
IV - free access: guarantee, to the holders, of facilitated and free consultation on the form and duration of the treatment, as well as on the integrality of their personal data;
V - data quality: guarantee, to the holders, of accuracy, clarity, relevance and updating of the data, according to the need and for the fulfillment of the purpose of its treatment;
VI - transparency: guarantee, to the holders, of clear, precise and easily accessible information about the execution of the treatment and the respective treatment agents, observing the commercial and industrial secrets;
VII - security: use of technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;
VIII - prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data;
IX - non-discrimination: impossibility of carrying out the treatment for illicit or abusive discriminatory purposes;
X - accountability and rendering of accounts: demonstration, by the agent, of the adoption of effective measures capable of proving the observance and compliance with the rules for the protection of personal data and, even, the effectiveness of these measures.
CHAPTER II
TREATMENT OF PERSONAL DATA
Section I
Requirements for the Processing of Personal Data
Art. 7 The processing of personal data can only be carried out in the following cases:
I - upon providing consent by the holder;
II - for compliance with a legal or regulatory obligation by the controller;
III - by the public administration, for the treatment and shared use of data necessary for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments, in compliance with the provisions of Chapter IV of this Law;
IV - to carry out studies by a research body, guaranteeing, whenever possible, the anonymization of personal data;
V - when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject;
VI - for the regular exercise of rights in judicial, administrative or arbitration proceedings, the latter under the terms of Law No. 9,307, of September 23, 1996 (Arbitration Law) ;
VII - for the protection of the life or physical safety of the holder or a third party;
VIII - for the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority; (Wording provided by Law No. 13,853, of 2019) Validity
IX - when necessary to meet the legitimate interests of the controller or a third party, except in the case of fundamental rights and freedoms of the holder that require the protection of personal data prevail; or
X - for the protection of credit, including the provisions of the relevant legislation.
§ 1 (Revoked). (Wording provided by Law No. 13,853, of 2019) Validity
§ 2 (Revoked). (Wording provided by Law No. 13,853, of 2019) Validity
§ 3 The processing of personal data whose access is public must consider the purpose, good faith and public interest that justified its availability.
§ 4 The consent requirement provided for in the caput of this article is waived for data made manifestly public by the data subject, safeguarding the data subject's rights and the principles provided for in this Law.
§ 5 The controller who has obtained the consent referred to in item I of the caput of this article who needs to communicate or share personal data with other controllers must obtain specific consent from the holder for this purpose, except for the cases of waiver of consent provided for in this Law.
§ 6 The eventual waiver of the consent requirement does not release the processing agents from the other obligations provided for in this Law, especially from the observance of the general principles and the guarantee of the holder's rights.
§ 7 The further processing of the personal data referred to in §§ 3 and 4 of this article may be carried out for new purposes, provided that the legitimate and specific purposes for the new treatment and the preservation of the holder's rights are observed, as well as the fundamentals and principles provided for in this Law. (Included by Law No. 13,853 of 2019) Validity
Art. 8 The consent provided for in item I of art. 7 of this Law must be provided in writing or by another means that demonstrates the owner's expression of will.
§ 1 If the consent is provided in writing, it must be included in a clause detached from the other contractual clauses.
§ 2 The onus of proof is on the controller to prove that consent was obtained in accordance with the provisions of this Law.
§ 3rd The processing of personal data by defect of consent is prohibited.
§ 4 The consent must refer to specific purposes, and the generic authorizations for the processing of personal data will be null.
§ 5 Consent may be revoked at any time upon express expression of the holder, through a free and facilitated procedure, ratifying the treatments carried out under the support of the previously expressed consent, as long as there is no request for elimination, pursuant to item VI of the caput of art. 18 of this Law.
§ 6 In case of alteration of information referred to in items I, II, III or V of art. 9 of this Law, the controller must inform the holder, specifically highlighting the content of the changes, and the holder may, in cases where his consent is required, revoke it if he disagrees with the change.
Art. 9 The data subject has the right to facilitated access to information on the processing of their data, which must be made available in a clear, adequate and ostensible manner about, among other characteristics provided for in regulations to comply with the principle of free access:
I - specific purpose of the treatment;
II - form and duration of treatment, subject to commercial and industrial secrecy;
III - identification of the controller;
IV - controller contact information;
V - information about the shared use of data by the controller and the purpose;
VI - responsibilities of the agents who will carry out the treatment; and
VII - rights of the holder, with explicit mention of the rights contained in art. 18 of this Law.
§ 1 In the event that consent is required, it will be considered void if the information provided to the holder has misleading or abusive content or has not been previously presented transparently, in a clear and unequivocal manner.
§ 2 In the event that consent is required, if there are changes in the purpose for the processing of personal data not compatible with the original consent, the controller must previously inform the holder about the changes in purpose, and the holder may revoke the consent, if disagree with the changes.
§ 3 When the processing of personal data is a condition for the provision of a product or service or for the exercise of a right, the holder will be informed about this fact and about the means by which he can exercise the holder's rights listed in art. 18 of this Law.
Art. 10. The controller's legitimate interest can only justify the processing of personal data for legitimate purposes, considered from concrete situations, which include, but are not limited to:
I - support and promotion of controller activities; and
II - protection, in relation to the holder, of the regular exercise of their rights or provision of services that benefit them, respecting their legitimate expectations and fundamental rights and freedoms, under the terms of this Law.
§ 1 When processing is based on the controller's legitimate interest, only personal data strictly necessary for the intended purpose may be processed.
§ 2 The controller shall adopt measures to ensure the transparency of data processing based on its legitimate interest.
§ 3 The national authority may request from the controller an impact report on the protection of personal data, when the treatment is based on its legitimate interest, observing commercial and industrial secrets.
Section II
Processing Sensitive Personal Data
Art. 11. The processing of sensitive personal data can only occur in the following cases:
I - when the holder or his legal guardian consents, in a specific and prominent way, for specific purposes;
II - without providing the holder's consent, in cases where it is essential to:
a) compliance with a legal or regulatory obligation by the controller;
b) shared treatment of data necessary for the execution, by the public administration, of public policies provided for in laws or regulations;
c) carrying out studies by a research body, guaranteeing, whenever possible, the anonymization of sensitive personal data;
d) regular exercise of rights, including in contract and in judicial, administrative and arbitration proceedings, the latter under the terms of Law No. 9,307, of September 23, 1996 (Arbitration Law) ;
e) protection of the life or physical safety of the holder or a third party;
f) protection of health, exclusively, in a procedure performed by health professionals, health services or health authority; or (Wording provided by Law No. 13,853, of 2019) Validity
g) guarantee of fraud prevention and security of the holder, in the processes of identification and authentication of registration in electronic systems, safeguarding the rights mentioned in art. 9 of this Law and except in the case of the holder's fundamental rights and freedoms that require the protection of personal data.
§ 1 The provisions of this article apply to any processing of personal data that reveals sensitive personal data and that may cause damage to the holder, except for the provisions of specific legislation.
§ 2 In cases of application of the provisions of sub-items “a” and “b” of item II of the caput of this article by public bodies and entities, the aforementioned waiver of consent will be publicized, pursuant to item I of the caput of art. 23 of this Law.
§ 3 The communication or shared use of sensitive personal data between controllers with the objective of obtaining economic advantage may be prohibited or regulated by the national authority, after hearing the sectoral bodies of the Public Power, within the scope of their competence.
§ 4 Communication or shared use between controllers of sensitive personal data relating to health with the objective of obtaining economic advantage is prohibited, except in cases related to the provision of health services, pharmaceutical assistance and health care, provided that the § 5 of this article, including auxiliary diagnosis and therapy services, for the benefit of the interests of data subjects, and to allow: (Wording provided by Law No. 13,853, of 2019) Validity
I - data portability when requested by the holder; or (Included by Law No. 13,853 of 2019) Validity
II - the financial and administrative transactions resulting from the use and provision of the services mentioned in this paragraph. (Included by Law No. 13,853 of 2019) Validity
§ 5 Operators of private health care plans are prohibited from processing health data for the practice of risk selection in contracting any modality, as well as in contracting and excluding beneficiaries. (Included by Law No. 13,853 of 2019) Validity
Art. 12. Anonymized data will not be considered personal data for the purposes of this Law, except when the anonymization process to which they were submitted is reversed, using exclusively their own means, or when, with reasonable efforts, it can be reversed.
§ 1 The determination of what is reasonable must take into account objective factors, such as cost and time required to reverse the anonymization process, according to available technologies, and the exclusive use of own means.
Paragraph 2. For the purposes of this Law, those used to form the behavioral profile of a certain natural person, if identified, may also be considered as personal data.
§ 3 The national authority may provide for standards and techniques used in anonymization processes and carry out checks on their security, after hearing the National Council for the Protection of Personal Data.
Art. 13. When carrying out public health studies, research bodies may have access to personal databases, which will be treated exclusively within the body and strictly for the purpose of carrying out studies and research and kept in a controlled and safe environment, as security practices provided for in specific regulations and that include, whenever possible, the anonymization or pseudonymization of data, as well as considering the due ethical standards related to studies and research.
§ 1 The disclosure of the results or any excerpt from the study or research referred to in the caput of this article may under no circumstances reveal personal data.
§ 2 The research body will be responsible for the security of the information provided for in the caput of this article, not allowing, under any circumstances, the transfer of data to a third party.
§ 3 Access to the data referred to in this article will be subject to regulation by the national authority and the authorities in the health and sanitary area, within the scope of their competences.
§ 4 For the purposes of this article, pseudonymization is the treatment through which a data loses the possibility of association, directly or indirectly, with an individual, if not through the use of additional information kept separately by the controller in a controlled and safe environment.
Section III
Processing Personal Data of Children and Adolescents
Art. 14. The processing of personal data of children and adolescents must be carried out in their best interest, under the terms of this article and the relevant legislation.
§ 1 The processing of personal data of children must be carried out with the specific and highlighted consent given by at least one of the parents or by the legal guardian.
§ 2 In the processing of data referred to in § 1 of this article, controllers must keep public information on the types of data collected, the way in which they are used and the procedures for exercising the rights referred to in art. 18 of this Law.
§ 3 Personal data from children may be collected without the consent referred to in § 1 of this article when the collection is necessary to contact the parents or the legal guardian, used only once and without storage, or for their protection, and in no case may be transferred to a third party without the consent mentioned in § 1 of this article.
§ 4 Controllers shall not condition the participation of the holders mentioned in § 1 of this article in games, internet applications or other activities to the provision of personal information beyond those strictly necessary for the activity.
§ 5 The controller must make all reasonable efforts to verify that the consent referred to in § 1 of this article was given by the person responsible for the child, considering the available technologies.
§ 6 The information on the processing of data referred to in this article must be provided in a simple, clear and accessible way, considering the physical-motor, perceptual, sensorial, intellectual and mental characteristics of the user, using audiovisual resources when appropriate, in a to provide the necessary information to the parents or the legal guardian and adequate to the understanding of the child.
Section IV
End of Data Processing
Art. 15. The end of the processing of personal data will occur in the following cases:
I - verification that the purpose has been achieved or that the data are no longer necessary or relevant to reach the specific purpose pursued;
II - end of the treatment period;
III - communication of the holder, including the exercise of his right to revoke consent as provided in § 5 of art. 8 of this Law, safeguarding the public interest; or
IV - determination of the national authority, when there is a violation of the provisions of this Law.
Art. 16. Personal data will be deleted after the end of their treatment, within the scope and technical limits of the activities, conservation authorized for the following purposes:
I - compliance with a legal or regulatory obligation by the controller;
II - study by a research body, guaranteeing, whenever possible, the anonymization of personal data;
III - transfer to a third party, provided that the data processing requirements set forth in this Law are respected; or
IV - exclusive use of the controller, its access by a third party being prohibited, and provided that the data is anonymized.
CHAPTER III
THE RIGHTS OF THE HOLDER
Art. 17. Every natural person is guaranteed the ownership of their personal data and guaranteed the fundamental rights of freedom, intimacy and privacy, under the terms of this Law.
Art. 18. The holder of personal data has the right to obtain from the controller, in relation to the data of the holder processed by him, at any time and upon request:
I - confirmation of the existence of treatment;
II - access to data;
III - correction of incomplete, inaccurate or outdated data;
IV - anonymization, blocking or elimination of unnecessary, excessive or treated data in violation of the provisions of this Law;
V - portability of data to another service or product provider, upon express request, in accordance with the regulation of the national authority, observing commercial and industrial secrets; (Wording provided by Law No. 13,853, of 2019) Validity
VI - elimination of personal data processed with the consent of the holder, except in the cases provided for in art. 16 of this Law;
VII - information on public and private entities with which the controller made shared use of data;
VIII - information on the possibility of not providing consent and on the consequences of denial;
IX - revocation of consent, pursuant to § 5 of art. 8 of this Law.
§ 1 The holder of personal data has the right to petition in relation to their data against the controller before the national authority.
§ 2 The data subject may object to treatment carried out based on one of the hypotheses of waiver of consent, in the event of non-compliance with the provisions of this Law.
§ 3 The rights provided for in this article shall be exercised upon an express request from the holder or a legally constituted representative, to the processing agent.
§ 4 In case of impossibility of immediate adoption of the measure referred to in § 3 of this article, the controller will send the holder a response in which he can:
I - communicate that it is not a data processing agent and indicate, whenever possible, the agent; or
II - indicate the reasons in fact or in law that prevent the immediate adoption of the measure.
§ 5 The request referred to in § 3 of this article will be answered at no cost to the holder, within the deadlines and under the terms provided for in the regulation.
§ 6 The person in charge must immediately inform the processing agents with whom he has shared use of data of the correction, elimination, anonymization or blocking of the data, so that they repeat the same procedure, except in cases where this communication is demonstrably impossible or involves disproportionate effort. (Wording provided by Law No. 13,853, of 2019) Validity
§ 7 The portability of personal data referred to in item V of the caput of this article does not include data that have already been anonymized by the controller.
§ 8 The right referred to in § 1 of this article may also be exercised before consumer protection bodies.
Art. 19. Confirmation of the existence or access to personal data will be provided, upon request of the holder:
I - in simplified format, immediately; or
II - by means of a clear and complete statement, indicating the origin of the data, the lack of registration, the criteria used and the purpose of the treatment, observing the commercial and industrial secrets, provided within a period of up to 15 (fifteen) days, counted from the date of the holder's application.
§ 1 The personal data will be stored in a format that favors the exercise of the right of access.
§ 2 The information and data may be provided, at the discretion of the holder:
I - by electronic means, safe and suitable for this purpose; or
II - in printed form.
§ 3 When the treatment originates from the consent of the data subject or in a contract, the data subject may request a full electronic copy of their personal data, subject to commercial and industrial secrets, in accordance with the regulations of the national authority, in a format that allows their subsequent use. , including in other treatment operations.
§ 4 The national authority may have different provisions regarding the deadlines provided for in items I and II of the caput of this article for specific sectors.
Art. 20. The data subject has the right to request the review of decisions taken solely on the basis of automated processing of personal data that affect their interests, including decisions aimed at defining their personal, professional, consumer and credit profile or aspects of your personality. (Wording provided by Law No. 13,853, of 2019) Validity
§ 1 The controller shall provide, whenever requested, clear and adequate information regarding the criteria and procedures used for the automated decision, observing commercial and industrial secrets.
§ 2 In the event of failure to provide the information referred to in § 1 of this article based on the observance of commercial and industrial secrecy, the national authority may carry out an audit to verify discriminatory aspects in automated processing of personal data.
§ 3 (VETOED) . (Included by Law No. 13,853 of 2019) Validity
Art. 21. Personal data referring to the regular exercise of rights by the holder cannot be used to their detriment.
Art. 22. The defense of the interests and rights of data subjects may be exercised in court, individually or collectively, in accordance with the provisions of the relevant legislation, regarding the instruments of individual and collective protection.
CHAPTER IV
THE PROCESSING OF PERSONAL DATA BY THE GOVERNMENT
Section I
of the Rules
Art. 23. The processing of personal data by legal entities governed by public law referred to in the sole paragraph of the art. 1 of Law No. 12,527, of November 18, 2011 (Access to Information Law) , must be carried out to fulfill its public purpose, in the pursuit of the public interest, with the objective of performing legal powers or fulfilling the legal attributions of the public service, provided that:
I - the cases in which, in the exercise of their powers, they carry out the processing of personal data are informed, providing clear and up-to-date information on the legal provision, the purpose, procedures and practices used for the execution of these activities, in vehicles of easy access, preferably on their websites;
II - (VETOED); and
III - a person in charge is appointed when performing personal data processing operations, pursuant to art. 39 of this Law; and (Wording provided by Law No. 13,853, of 2019) Validity
IV - ( VETOED) . (Included by Law No. 13,853 of 2019) Validity
§ 1 The national authority may provide for the forms of publicity of processing operations.
§ 2 The provisions of this Law do not exempt the legal entities mentioned in the caput of this article from establishing the authorities referred to in the Law No. 12,527, of November 18, 2011 (Access to Information Law) .
§ 3 The deadlines and procedures for exercising the rights of the holder before the Public Power shall observe the provisions of specific legislation, in particular the provisions contained in the Law No. 9,507, of November 12, 1997 (Habeas Data Law) , gives Law No. 9,784, of January 29, 1999 (General Law on Administrative Procedure) , and gives Law No. 12,527, of November 18, 2011 (Access to Information Law) .
§ 4 Notarial and registration services performed in a private manner, by delegation of the Public Power, will have the same treatment given to legal entities referred to in the caput of this article, under the terms of this Law.
§ 5 The notary and registry bodies must provide access to data by electronic means for the public administration, in view of the purposes mentioned in the caput of this article.
Art. 24. Public companies and mixed capital companies that operate on a competitive basis, subject to the provisions of art. 173 of the Federal Constitution , will have the same treatment given to private legal entities governed by private law, under the terms of this Law.
Single paragraph. Public companies and mixed capital companies, when operating public policies and within the scope of their execution, will have the same treatment given to public bodies and entities, under the terms of this Chapter.
Art. 25. Data must be kept in an interoperable and structured format for shared use, with a view to implementing public policies, providing public services, decentralizing public activity and disseminating and accessing information by the general public.
Art. 26. The shared use of personal data by the Government must meet the specific purposes of implementing public policies and legal attribution by public bodies and entities, respecting the principles of protection of personal data listed in art. 6 of this Law.
§ 1 The Public Power is prohibited from transferring personal data contained in databases to which it has access to private entities, except:
I - in cases of decentralized execution of public activity that requires the transfer, exclusively for this specific and determined purpose, subject to the provisions of Law No. 12,527, of November 18, 2011 (Access to Information Law) ;
II - (VETOED);
III - in cases where the data are publicly accessible, in compliance with the provisions of this Law.
IV - when there is a legal provision or the transfer is supported by contracts, agreements or similar instruments; or (Included by Law No. 13,853 of 2019) Validity
V - in the event that the transfer of data is aimed exclusively at preventing fraud and irregularities, or protecting and safeguarding the security and integrity of the data subject, provided that processing for other purposes is prohibited. (Included by Law No. 13,853 of 2019) Validity
§ 2 The contracts and agreements referred to in § 1 of this article must be communicated to the national authority.
Art. 27. The communication or shared use of personal data from a legal entity governed by public law to a person governed by private law will be informed to the national authority and will depend on the consent of the holder, except:
I - in the event of waiver of consent provided for in this Law;
II - in cases of shared use of data, in which publicity will be given under the terms of item I of the caput of art. 23 of this Law; or
III - in the exceptions contained in § 1 of art. 26 of this Law.
Single paragraph. The information to the national authority referred to in the caput of this article will be subject to regulation. (Included by Law No. 13,853 of 2019) Validity
Art. 28. (VETOED).
Art. 29. The national authority may request, at any time, the bodies and entities of the public power to carry out operations for the processing of personal data, specific information on the scope and nature of the data and other details of the processing carried out and may issue an opinion complementary technical assistance to ensure compliance with this Law. (Wording provided by Law No. 13,853, of 2019) Validity
Art. 30. The national authority may establish complementary rules for communication activities and the shared use of personal data.
Section II
Responsibility
Art. 31. When there is a violation of this Law as a result of the processing of personal data by public bodies, the national authority may send a report with appropriate measures to put an end to the violation.
Art. 32. The national authority may request Public Power agents to publish impact reports on the protection of personal data and suggest the adoption of standards and good practices for the processing of personal data by the Public Power.
CHAPTER V
INTERNATIONAL DATA TRANSFER
Art. 33. The international transfer of personal data is only allowed in the following cases:
I - for countries or international organizations that provide a level of protection of personal data adequate to that provided for in this Law;
II - when the controller offers and proves guarantees of compliance with the principles, the rights of the holder and the data protection regime provided for in this Law, in the form of:
a) specific contractual clauses for a given transfer;
b) standard contractual clauses;
c) global corporate standards;
d) regularly issued seals, certificates and codes of conduct;
III - when the transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution agencies, in accordance with the instruments of international law;
IV - when the transfer is necessary to protect the life or physical safety of the holder or a third party;
V - when the national authority authorizes the transfer;
VI - when the transfer results in a commitment assumed in an international cooperation agreement;
VII - when the transfer is necessary for the execution of public policy or legal attribution of the public service, publicity being given under the terms of item I of the caput of art. 23 of this Law;
VIII - when the holder has provided his specific and highlighted consent for the transfer, with prior information on the international nature of the operation, clearly distinguishing it from other purposes; or
IX - when necessary to meet the hypotheses provided for in items II, V and VI of art. 7 of this Law.
Single paragraph. For the purposes of item I of this article, legal entities governed by public law referred to in the sole paragraph of the art. 1 of Law No. 12,527, of November 18, 2011 (Access to Information Law) , within the scope of their legal competences, and those responsible, within the scope of their activities, may request the national authority to assess the level of protection of personal data granted by a country or international organization.
Art. 34. The level of data protection of the foreign country or of the international organization mentioned in item I of the caput of art. 33 of this Law will be evaluated by the national authority, which will take into account:
I - the general and sectorial norms of the legislation in force in the country of destination or in the international organization;
II - the nature of the data;
III - the observance of the general principles of protection of personal data and rights of the holders foreseen in this Law;
IV - the adoption of security measures provided for in regulation;
V - the existence of judicial and institutional guarantees to respect the rights of protection of personal data; and
VI - other specific circumstances relating to the transfer.
Art. 35. The definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for a given transfer, global corporate norms or seals, certificates and codes of conduct, referred to in item II of the caput of art. 33 of this Law, will be carried out by the national authority.
§ 1 In order to verify the provisions of the caput of this article, the minimum requirements, conditions and guarantees for the transfer that observe the rights, guarantees and principles of this Law must be considered.
§ 2 In the analysis of contractual clauses, documents or global corporate rules submitted for approval by the national authority, supplementary information may be requested or verification steps taken regarding the processing operations, when necessary.
§ 3 The national authority may designate certification bodies to carry out the provisions of the caput of this article, which will remain under its supervision under the terms defined in the regulation.
§ 4 The acts performed by a certification body may be reviewed by the national authority and, if in disagreement with this Law, submitted to review or annulled.
§ 5 The sufficient guarantees of compliance with the general principles of protection and the rights of the holder referred to in the caput of this article will also be analyzed according to the technical and organizational measures adopted by the operator, in accordance with the provisions of §§ 1 and 2 of art. . 46 of this Law.
Art. 36. The alterations in the guarantees presented as sufficient to comply with the general principles of protection and the rights of the holder referred to in item II of art. 33 of this Law must be communicated to the national authority.
CHAPTER VI
PERSONAL DATA PROCESSING AGENTS
Section I
From the Controller and the Operator
Art. 37. The controller and the operator must keep a record of the personal data processing operations they carry out, especially when based on legitimate interest.
Art. 38. The national authority may order the controller to prepare an impact report on the protection of personal data, including sensitive data, referring to its data processing operations, under the terms of the regulation, observing commercial and industrial secrets.
Single paragraph. In compliance with the provisions of the caput of this article, the report must contain, at least, a description of the types of data collected, the methodology used to collect and guarantee the security of information and the controller's analysis regarding measures, safeguards and risk mitigation mechanisms adopted.
Art. 39. The operator must carry out the treatment in accordance with the instructions provided by the controller, who will verify compliance with the instructions and regulations on the matter.
Art. 40. The national authority may provide for interoperability standards for portability, free access to data and security, as well as for the retention time of records, especially in view of necessity and transparency.
Section II
The Person in Charge of the Processing of Personal Data
Art. 41. The controller must appoint the person in charge of processing personal data.
§ 1 The identity and contact information of the person in charge must be publicly disclosed, clearly and objectively, preferably on the controller's website.
§ 2 The activities of the person in charge consist of:
I - accept complaints and communications from the holders, provide clarifications and adopt measures;
II - receive communications from the national authority and adopt measures;
III - guide the entity's employees and contractors regarding the practices to be adopted in relation to the protection of personal data; and
IV - perform the other attributions determined by the controller or established in complementary rules.
§ 3 The national authority may establish complementary rules on the definition and attributions of the person in charge, including cases of exemption from the need for their indication, according to the nature and size of the entity or the volume of data processing operations.
§ 4 (VETOED) . (Included by Law No. 13,853 of 2019) Validity
Section III
Liability and Compensation for Damages
Art. 42. The controller or operator who, due to the exercise of personal data processing activity, causes property, moral, individual or collective damage to others, in violation of personal data protection legislation, is obliged to repair it.
§ 1 In order to ensure effective compensation to the data subject:
I - the operator is jointly liable for damages caused by the treatment when it fails to comply with the obligations of the data protection legislation or when it has not followed the lawful instructions of the controller, in which case the operator is equivalent to the controller, except in the cases of exclusion provided for in the art. 43 of this Law;
II - controllers who are directly involved in the treatment that resulted in damage to the data subject are jointly and severally liable, except in the cases of exclusion provided for in art. 43 of this Law.
§ 2 The judge, in civil proceedings, may invert the burden of proof in favor of the data subject when, in his opinion, the allegation is credible, there is insufficient evidence for the production of evidence or when the production of evidence by the data subject results in excessively burdensome.
Paragraph 3. Actions for reparation for collective damages that have as their object liability under the terms of the caput of this article may be exercised collectively in court, subject to the provisions of the relevant legislation.
§ 4 The person who repairs the damage to the holder has the right of recourse against the other responsible parties, to the extent of their participation in the harmful event.
Art. 43. Processing agents will not be held liable only when they prove:
I - who have not processed personal data assigned to them;
II - that, although they have carried out the processing of personal data attributed to them, there has been no violation of data protection legislation; or
III - that the damage is due to the exclusive fault of the data subject or a third party.
Art. 44. The processing of personal data will be irregular when it fails to comply with the legislation or when it does not provide the security that the data subject can expect, considering the relevant circumstances, including:
I - the way in which it is carried out;
II - the result and the risks that are reasonably expected from it;
III - the personal data processing techniques available at the time it was carried out.
Single paragraph. The controller or operator who, by failing to adopt the security measures provided for in art. 46 of this Law, causes the damage.
Art. 45. Cases of infringement of the right of the holder in the context of consumer relations remain subject to the liability rules provided for in the relevant legislation.
CHAPTER VII
SAFETY AND GOOD PRACTICES
Section I
Data Security and Secrecy
Art. 46. Processing agents must adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or illicit treatment.
§ 1 The national authority may provide for minimum technical standards to make the provisions of the caput of this article applicable, considering the nature of the information processed, the specific characteristics of the treatment and the current state of technology, especially in the case of sensitive personal data, as well as the principles provided for in the caput of art. 6 of this Law.
§ 2 The measures mentioned in the caput of this article must be observed from the product or service conception phase until its execution.
Art. 47. Processing agents or any other person who intervenes in one of the stages of processing undertakes to guarantee the security of the information provided for in this Law in relation to personal data, even after its termination.
Art. 48. The controller must notify the national authority and the holder of the occurrence of a security incident that may cause significant risk or damage to holders.
§ 1 The communication will be made within a reasonable period, as defined by the national authority, and must mention, at least:
I - a description of the nature of the personal data affected;
II - information about the holders involved;
III - indication of the technical and security measures used for data protection, observing commercial and industrial secrets;
IV - the risks related to the incident;
V - the reasons for the delay, in case the communication was not immediate; and
VI - the measures that have been or will be adopted to reverse or mitigate the effects of the loss.
§ 2 The national authority will verify the seriousness of the incident and may, if necessary to safeguard the rights of the holders, determine to the controller the adoption of measures, such as:
I - wide dissemination of the fact in the media; and
II - measures to reverse or mitigate the effects of the incident.
§ 3 In the judgment of the seriousness of the incident, any evidence that appropriate technical measures were adopted that make the affected personal data unintelligible, within the scope and technical limits of its services, to third parties not authorized to access them, will be evaluated.
Art. 49. The systems used for the processing of personal data must be structured in order to meet the security requirements, the standards of good practices and governance and the general principles provided for in this Law and other regulatory standards.
Section II
Good Practices and Governance
Art. 50. Controllers and operators, within the scope of their competence, for the processing of personal data, individually or through associations, may formulate rules of good practices and governance that establish the conditions of organization, the operating regime, the procedures, including complaints and petitions from data subjects, security rules, technical standards, specific obligations for the various parties involved in the treatment, educational actions, internal mechanisms for supervision and risk mitigation and other aspects related to the processing of personal data.
§ 1 When establishing rules of good practice, the controller and the operator will take into account, in relation to the treatment and data, the nature, scope, purpose and probability and severity of the risks and benefits arising from data processing of the holder.
§ 2 In the application of the principles indicated in items VII and VIII of the caput of art. 6 of this Law, the controller, observing the structure, scale and volume of its operations, as well as the sensitivity of the data processed and the probability and severity of damages to the data subjects, may:
I - implement a privacy governance program that, at a minimum:
a) demonstrate the controller's commitment to adopting internal processes and policies that ensure comprehensive compliance with standards and good practices relating to the protection of personal data;
b) is applicable to the entire set of personal data under its control, regardless of the way in which it was collected;
c) be adapted to the structure, scale and volume of its operations, as well as the sensitivity of the data processed;
d) establish appropriate policies and safeguards based on a systematic assessment process of privacy impacts and risks;
e) has the objective of establishing a relationship of trust with the holder, through transparent action and that ensures mechanisms for the holder's participation;
f) is integrated into its overall governance structure and establishes and enforces internal and external oversight mechanisms;
g) has incident response and remediation plans; and
h) is constantly updated based on information obtained from continuous monitoring and periodic evaluations;
II - demonstrate the effectiveness of its privacy governance program when appropriate and, in particular, at the request of the national authority or other entity responsible for promoting compliance with good practices or codes of conduct, which independently promote the compliance with this Law.
§ 3 The rules of good practices and governance must be published and updated periodically and may be recognized and disseminated by the national authority.
Art. 51. The national authority will encourage the adoption of technical standards that facilitate control by the holders of their personal data.
CHAPTER VIII
INSPECTION
Section I
Administrative Sanctions
Art. 52. Data processing agents, due to violations committed to the rules provided for in this Law, are subject to the following administrative sanctions applicable by the national authority: (Validity)
I - warning, indicating a deadline for the adoption of corrective measures;
II - simple fine of up to 2% (two percent) of the revenue of the legal entity governed by private law, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited in total to R$50,000,000.00 (fifty million reais) per infraction;
III - daily fine, observing the total limit referred to in item II;
IV - publication of the infraction after its occurrence has been duly investigated and confirmed;
V - blocking of the personal data to which the infraction refers until its regularization;
VI - deletion of the personal data to which the infraction refers;
VII - (VETOED);
VIII - (VETOED);
IX - (VETOED).
X - partial suspension of the operation of the database to which the infraction refers for a maximum period of 6 (six) months, extendable for an equal period, until the treatment activity is regularized by the controller; (Included by Law No. 13,853 of 2019)
XI - suspension of the exercise of the activity of processing the personal data to which the infraction refers for a maximum period of 6 (six) months, extendable for an equal period; (Included by Law No. 13,853 of 2019)
XII - partial or total prohibition of activities related to data processing. (Included by Law No. 13,853 of 2019)
§ 1 The sanctions will be applied after an administrative procedure that allows the opportunity for a full defense, gradually, isolated or cumulatively, according to the peculiarities of the specific case and considering the following parameters and criteria:
I - the seriousness and nature of the violations and personal rights affected;
II - the good faith of the offender;
III - the advantage obtained or intended by the offender;
IV - the economic condition of the violator;
V - recidivism;
VI - the degree of damage;
VII - the cooperation of the offender;
VIII - the repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing the damage, aimed at the safe and adequate treatment of data, in accordance with the provisions of item II of § 2 of art. 48 of this Law;
IX - the adoption of a policy of good practices and governance;
X - the prompt adoption of corrective measures; and
XI - the proportionality between the seriousness of the fault and the intensity of the sanction.
§ 2 The provisions of this article do not replace the application of administrative, civil or criminal sanctions defined in Law No. 8078, of September 11, 1990, and in specific legislation. (Wording provided by Law No. 13,853, of 2019)
§ 3 The provisions of items I, IV, V, VI, X, XI and XII of the caput of this article may be applied to public entities and bodies, without prejudice to the provisions of Law No. 8,112, of December 11, 1990 , in Law No. 8,429, of June 2, 1992 , and in Law No. 12,527, of November 18, 2011 . (Promulgation vetoed parts)
§ 4 In the calculation of the amount of the fine referred to in item II of the caput of this article, the national authority may consider the total revenue of the company or group of companies, when it does not have the amount of revenue in the field of business activity in which the infringement, defined by the national authority, or when the amount is presented incompletely or is not demonstrated unequivocally and reputably.
§ 5 The proceeds from the collection of fines imposed by the ANPD, registered or not in active debt, will be destined to the Fund for the Defense of Diffuse Rights referred to in art. 13 of Law No. 7,347, of July 24, 1985, and Law No. 9,008, of March 21, 1995. (Included by Law No. 13,853 of 2019)
§ 6 The sanctions provided for in items X, XI and XII of the caput of this article shall be applied: (Included by Law No. 13,853 of 2019)
I - only after at least 1 (one) of the sanctions dealt with in items II, III, IV, V and VI of the caput of this article have already been imposed for the same specific case; and (Included by Law No. 13,853 of 2019)
II - in the case of controllers submitted to other bodies and entities with sanctioning powers, after hearing these bodies. (Included by Law No. 13,853 of 2019)
§ 7 The individual leaks or unauthorized access referred to in the caput of art. 46 of this Law may be the object of direct conciliation between controller and holder and, if there is no agreement, the controller will be subject to the application of the penalties mentioned in this article. (Included by Law No. 13,853 of 2019)
Art. 53. The national authority will define, through its own regulation on administrative sanctions for violations of this Law, which must be subject to public consultation, the methodologies that will guide the calculation of the base value of fine sanctions. (Validity)
§ 1 The methodologies referred to in the caput of this article must be previously published, for the knowledge of the treatment agents, and must objectively present the forms and dosimetries for the calculation of the base value of the fine sanctions, which must contain detailed reasoning of all its elements, demonstrating compliance with the criteria set forth in this Law.
§ 2 The regulation of sanctions and corresponding methodologies must establish the circumstances and conditions for the adoption of a simple or daily fine.
Art. 54. The amount of the daily fine applicable to violations of this Law must observe the seriousness of the fault and the extent of the damage or loss caused and be substantiated by the national authority. (Validity)
Single paragraph. The subpoena of the daily fine sanction must contain, at a minimum, the description of the obligation imposed, the reasonable period stipulated by the body for its compliance and the value of the daily fine to be applied for its non-compliance.
CHAPTER IX
THE NATIONAL DATA PROTECTION AUTHORITY (ANPD) AND THE NATIONAL COUNCIL FOR THE PROTECTION OF PERSONAL DATA AND PRIVACY
Section I
From the National Data Protection Authority (ANPD)
Art. 55. (VETOED).
Art. 55-A. The National Data Protection Authority (ANPD), a federal public administration body, part of the Presidency of the Republic, is created, with no increase in expenses. (Included by Law No. 13,853 of 2019)
§ 1 The legal nature of the ANPD is transitory and may be transformed by the Executive Power into an indirect federal public administration entity, subject to a special autonomous regime and linked to the Presidency of the Republic. (Included by Law No. 13,853 of 2019)
§ 2 The evaluation regarding the transformation provided for in § 1 of this article shall take place within 2 (two) years from the date of entry into force of the regimental structure of the ANPD. (Included by Law No. 13,853 of 2019)
§ 3 The provision of the positions and functions necessary for the creation and operation of the ANPD is conditioned to the express physical and financial authorization in the annual budget law and to the permission in the budget guidelines law. (Included by Law No. 13,853 of 2019)
Art. 55-B. Technical and decision-making autonomy is assured to the ANPD. (Included by Law No. 13,853 of 2019)
Art. 55-C. The ANPD is made up of: (Included by Law No. 13,853 of 2019)
I - Board of Directors, the highest governing body; (Included by Law No. 13,853 of 2019)
II - National Council for the Protection of Personal Data and Privacy; (Included by Law No. 13,853 of 2019)
III - Internal Affairs; (Included by Law No. 13,853 of 2019)
IV - Ombudsman; (Included by Law No. 13,853 of 2019)
V - own legal advisory body; and (Included by Law No. 13,853 of 2019)
VI - administrative units and specialized units necessary for the application of the provisions of this Law. (Included by Law No. 13,853 of 2019)
Art. 55-D. The ANPD Board of Directors will be composed of 5 (five) directors, including the Chief Executive Officer. (Included by Law No. 13,853 of 2019)
§ 1 The members of the ANPD Board of Directors will be chosen by the President of the Republic and appointed by him, after approval by the Federal Senate, pursuant to subparagraph 'f' of item III of art. 52 of the Federal Constitution, and will occupy a position in a committee of the Superior Management and Advisory Group - DAS, at least level 5. (Included by Law No. 13,853 of 2019)
§ 2 The members of the Board of Directors will be chosen from among Brazilians who have an unblemished reputation, a superior level of education and a high concept in the field of specialty of the positions to which they will be appointed. (Included by Law No. 13,853 of 2019)
§ 3 The term of office of the members of the Board of Directors will be 4 (four) years. (Included by Law No. 13,853 of 2019)
§ 4 The terms of office of the first members of the Board of Directors appointed will be 2 (two), 3 (three), 4 (four), 5 (five) and 6 (six) years, as established in the act of appointment. (Included by Law No. 13,853 of 2019)
§ 5 In the event of vacancy in the position during the term of office of a member of the Board of Directors, the remaining term will be completed by the successor. (Included by Law No. 13,853 of 2019)
Art. 55-E. The members of the Board of Directors will only lose their positions as a result of resignation, final and unappealable judicial conviction or dismissal resulting from disciplinary administrative proceedings. (Included by Law No. 13,853 of 2019)
§ 1. Under the terms of the caput of this article, it is incumbent upon the Minister of State, Chief of Staff of the Presidency of the Republic, to initiate the disciplinary administrative process, which will be conducted by a special commission made up of stable federal public servants. (Included by Law No. 13,853 of 2019)
§ 2 It is incumbent upon the President of the Republic to determine preventive removal, only when recommended by the special commission referred to in § 1 of this article, and to render the judgment. (Included by Law No. 13,853 of 2019)
Art. 55-F. The provisions of art. 6 of Law No. 12,813, of May 16, 2013. (Included by Law No. 13,853 of 2019)
Single paragraph. Violation of the provisions of the caput of this article characterizes an act of administrative improbity. (Included by Law No. 13,853 of 2019)
Art. 55-G. Act of the President of the Republic will provide for the regimental structure of the ANPD. (Included by Law No. 13,853 of 2019)
§ 1st Until the date of entry into force of its regimental structure, the ANPD will receive technical and administrative support from the Civil House of the Presidency of the Republic for the exercise of its activities. (Included by Law No. 13,853 of 2019)
§ 2nd The Board of Directors shall provide for the ANPD's internal regulations. (Included by Law No. 13,853 of 2019)
Art. 55-H. The positions in commission and the functions of trust of the ANPD will be reassigned from other bodies and entities of the federal Executive Power. (Included by Law No. 13,853 of 2019)
Art. 55-I. The occupants of the positions in commission and the functions of trust of the ANPD will be appointed by the Board of Directors and appointed or designated by the Chief Executive Officer. (Included by Law No. 13,853 of 2019)
Art. 55-J. It is incumbent upon the ANPD: (Included by Law No. 13,853 of 2019)
I - ensure the protection of personal data, under the terms of the legislation; (Included by Law No. 13,853 of 2019)
II - ensure the observance of commercial and industrial secrets, observing the protection of personal data and the confidentiality of information when protected by law or when the breach of confidentiality violates the foundations of art. 2 of this Law; (Included by Law No. 13,853 of 2019)
III - develop guidelines for the National Policy for the Protection of Personal Data and Privacy; (Included by Law No. 13,853 of 2019)
IV - inspect and apply sanctions in case of data processing carried out in breach of the legislation, through an administrative process that ensures the adversary system, ample defense and the right of appeal; (Included by Law No. 13,853 of 2019)
V - examine petitions by the holder against the controller after the holder proves that the complaint to the controller has not been resolved within the period established in the regulations; (Included by Law No. 13,853 of 2019)
VI - promote knowledge of the rules and public policies on the protection of personal data and security measures among the population; (Included by Law No. 13,853 of 2019)
VII - promote and prepare studies on national and international practices for the protection of personal data and privacy; (Included by Law No. 13,853 of 2019)
VIII - encourage the adoption of standards for services and products that facilitate the exercise of control by holders over their personal data, which must take into account the specifics of the activities and the size of those responsible; (Included by Law No. 13,853 of 2019)
IX - promote cooperation actions with authorities for the protection of personal data in other countries, of an international or transnational nature; (Included by Law No. 13,853 of 2019)
X - provide for the forms of publicity of personal data processing operations, respecting commercial and industrial secrets; (Included by Law No. 13,853 of 2019)
XI - request, at any time, from public authorities that carry out personal data processing operations, a specific report on the scope, nature of the data and other details of the treatment carried out, with the possibility of issuing a complementary technical opinion to guarantee the compliance with this Law; (Included by Law No. 13,853 of 2019)
XII - prepare annual management reports about its activities; (Included by Law No. 13,853 of 2019)
XIII - edit regulations and procedures on the protection of personal data and privacy, as well as on reports of impact on the protection of personal data for cases in which the treatment represents a high risk to the guarantee of the general principles of protection of personal data provided for in this Law; (Included by Law No. 13,853 of 2019)
XIV - listen to treatment agents and society in matters of relevant interest and report on their activities and planning; (Included by Law No. 13,853 of 2019)
XV - collect and apply its income and publish, in the management report referred to in item XII of the main section of this article, the details of its income and expenses; (Included by Law No. 13,853 of 2019)
XVI - carry out audits, or determine their performance, within the scope of the inspection activity referred to in item IV and with due observance of the provisions of item II of the caput of this article, on the processing of personal data carried out by the processing agents, including the public power; (Included by Law No. 13,853 of 2019)
XVII - enter into, at any time, a commitment with processing agents to eliminate irregularities, legal uncertainty or contentious situations within the scope of administrative proceedings, in accordance with the provisions of Decree-Law No. 4,657, of September 4, 1942; (Included by Law No. 13,853 of 2019)
XVIII - edit simplified and differentiated rules, guidelines and procedures, including regarding deadlines, so that micro and small companies, as well as business initiatives of an incremental or disruptive nature that declare themselves to be startups or innovation companies, can adapt to this Law; (Included by Law No. 13,853 of 2019)
XIX - ensure that the processing of data on the elderly is carried out in a simple, clear, accessible and appropriate manner for their understanding, under the terms of this Law and Law No. 10,741, of October 1, 2003 (Statute of the Elderly); (Included by Law No. 13,853 of 2019)
XX - decide, in the administrative sphere, in a final character, on the interpretation of this Law, its competences and the omissions; (Included by Law No. 13,853 of 2019)
XXI - communicate to the competent authorities the criminal offenses of which it has knowledge; (Included by Law No. 13,853 of 2019)
XXII - communicate to the internal control bodies the non-compliance with the provisions of this Law by bodies and entities of the federal public administration; (Included by Law No. 13,853 of 2019)
XXIII - articulate with public regulatory authorities to exercise their powers in specific sectors of economic and governmental activities subject to regulation; and (Included by Law No. 13,853 of 2019)
XXIV - implement simplified mechanisms, including electronically, for the registration of complaints about the processing of personal data in violation of this Law. (Included by Law No. 13,853 of 2019)
§ 1 When imposing administrative constraints on the processing of personal data by a private processing agent, whether they are limits, charges or subjections, the ANPD must observe the requirement of minimal intervention, ensuring the grounds, principles and rights of data subjects provided for in art. 170 of the Federal Constitution and in this Law. (Included by Law No. 13,853 of 2019)
§ 2 The regulations and standards issued by the ANPD must be preceded by public consultation and hearing, as well as regulatory impact analyses. (Included by Law No. 13,853 of 2019)
§ 3 The ANPD and the public bodies and entities responsible for regulating specific sectors of economic and governmental activity must coordinate their activities, in the corresponding spheres of action, with a view to ensuring the fulfillment of their attributions with the greatest efficiency and promoting the proper functioning of the regulated sectors, according to specific legislation, and the processing of personal data, in the form of this Law. (Included by Law No. 13,853 of 2019)
§ 4 The ANPD will maintain a permanent forum for communication, including through technical cooperation, with public administration bodies and entities responsible for regulating specific sectors of economic and governmental activity, in order to facilitate the regulatory, supervisory and punitive powers of the ANPD. (Included by Law No. 13,853 of 2019)
§ 5 In the exercise of the powers mentioned in the caput of this article, the competent authority shall ensure the preservation of business secrecy and the confidentiality of information, under the terms of the law. (Included by Law No. 13,853 of 2019)
§ 6 Complaints collected in accordance with the provisions of item V of the caput of this article may be analyzed in aggregate form, and any measures arising from them may be adopted in a standardized manner. (Included by Law No. 13,853 of 2019)
Art. 55-K. The application of the sanctions provided for in this Law is exclusively the responsibility of the ANPD, and its powers will prevail, with regard to the protection of personal data, over the related powers of other entities or bodies of the public administration. (Included by Law No. 13,853 of 2019)
Single paragraph. The ANPD will coordinate its work with other bodies and entities with sanctioning and regulatory powers related to the protection of personal data and will be the central body for the interpretation of this Law and the establishment of rules and guidelines for its implementation. (Included by Law No. 13,853 of 2019)
Art. 55-L. The ANPD's revenues are: (Included by Law No. 13,853 of 2019)
I - the appropriations, consigned in the general budget of the Union, the special credits, the additional credits, the transfers and the transfers that are conferred; (Included by Law No. 13,853 of 2019)
II - donations, legacies, subsidies and other resources intended for it; (Included by Law No. 13,853 of 2019)
III - the values determined in the sale or rental of movable and immovable property owned by it; (Included by Law No. 13,853 of 2019)
IV - the amounts calculated in financial market applications of the revenues provided for in this article; (Included by Law No. 13,853 of 2019)
V - (VETOED); (Included by Law No. 13,853 of 2019)
VI - funds arising from agreements, agreements or contracts entered into with entities, organizations or companies, public or private, national or international; (Included by Law No. 13,853 of 2019)
VII - the proceeds from the sale of publications, technical material, data and information, including for public bidding purposes. (Included by Law No. 13,853 of 2019)
Art. 56. (VETOED).
Art. 5 7. (VETOED).
Section II
From the National Council for the Protection of Personal Data and Privacy
Art. 58. (VETOED).
Art. 58-A. The National Council for the Protection of Personal Data and Privacy will be composed of 23 (twenty-three) representatives, holders and alternates, from the following bodies: (Included by Law No. 13,853 of 2019)
I - 5 (five) of the Federal Executive Branch; (Included by Law No. 13,853 of 2019)
II - 1 (one) of the Federal Senate; (Included by Law No. 13,853 of 2019)
III - 1 (one) of the Chamber of Deputies; (Included by Law No. 13,853 of 2019)
IV - 1 (one) of the National Council of Justice; (Included by Law No. 13,853 of 2019)
V - 1 (one) of the National Council of the Public Ministry; (Included by Law No. 13,853 of 2019)
VI - 1 (one) of the Brazilian Internet Steering Committee; (Included by Law No. 13,853 of 2019)
VII - 3 (three) of civil society entities with activities related to the protection of personal data; (Included by Law No. 13,853 of 2019)
VIII - 3 (three) from scientific, technological and innovation institutions; (Included by Law No. 13,853 of 2019)
IX - 3 (three) of union confederations representing the economic categories of the productive sector; (Included by Law No. 13,853 of 2019)
X - 2 (two) from entities representing the business sector related to the area of personal data processing; and (Included by Law No. 13,853 of 2019)
XI - 2 (two) from entities representing the labor sector. (Included by Law No. 13,853 of 2019)
§ 1º The representatives will be designated by act of the President of the Republic, being allowed the delegation. (Included by Law No. 13,853 of 2019)
§ 2 The representatives referred to in items I, II, III, IV, V and VI of the caput of this article and their alternates shall be appointed by the holders of the respective bodies and entities of the public administration. (Included by Law No. 13,853 of 2019)
§ 3 The representatives referred to in items VII, VIII, IX, X and XI of the main section of this article and their alternates: (Included by Law No. 13,853 of 2019)
I - will be indicated in the form of a regulation; (Included by Law No. 13,853 of 2019)
II - cannot be members of the Internet Management Committee in Brazil; (Included by Law No. 13,853 of 2019)
III - will have a term of office of 2 (two) years, with 1 (one) renewal allowed. (Included by Law No. 13,853 of 2019)
§ 4 Participation in the National Council for the Protection of Personal Data and Privacy will be considered to be the provision of a relevant, unpaid public service. (Included by Law No. 13,853 of 2019)
Art. 58-B. It is incumbent upon the National Council for the Protection of Personal Data and Privacy: (Included by Law No. 13,853 of 2019)
I - propose strategic guidelines and provide subsidies for the elaboration of the National Policy for the Protection of Personal Data and Privacy and for the performance of the ANPD; (Included by Law No. 13,853 of 2019)
II - prepare annual evaluation reports on the execution of the actions of the National Policy for the Protection of Personal Data and Privacy; (Included by Law No. 13,853 of 2019)
III - suggest actions to be carried out by the ANPD; (Included by Law No. 13,853 of 2019)
IV - prepare studies and hold debates and public hearings on the protection of personal data and privacy; and (Included by Law No. 13,853 of 2019)
V - disseminate knowledge about the protection of personal data and privacy to the population. (Included by Law No. 13,853 of 2019)
Art. 59. (VETOED).
CHAPTER X
FINAL AND TEMPORARY PROVISIONS
Art. 60. A Law No. 12,965, of April 23, 2014 (Marco Civil da Internet) , takes effect with the following changes:
“Art. 7th ..................................................... ...................
................................................................ ................................................
X - definitive deletion of personal data that you have provided to a certain internet application, at your request, at the end of the relationship between the parties, except in the cases of mandatory record keeping provided for in this Law and in the provisions on the protection of personal data;
................................................................ ......................” (NR)
“Art. 16. ................................................ ...................
................................................................ ................................................
II - personal data that are excessive in relation to the purpose for which consent was given by the holder, except in the cases provided for in the Law that provides for the protection of personal data.” (NR)
Art. 61. The foreign company will be notified and summoned of all procedural acts provided for in this Law, regardless of power of attorney or contractual or statutory provision, in the person of the agent or representative or person responsible for its branch, agency, branch, establishment or office installed in the Brazil.
Art. 62. The national authority and the National Institute of Educational Studies and Research Anísio Teixeira (Inep), within the scope of their powers, will issue specific regulations for access to data processed by the Union in order to comply with the provisions of § 2 of art. 9 of Law No. 9,394, of December 20, 1996 (National Education Guidelines and Bases Law) , and those referring to the National Higher Education Assessment System (Sinaes), which deals with the Law No. 10,861, of April 14, 2004 .
Art. 63. The national authority will establish rules on the progressive adaptation of databases created up to the date of entry into force of this Law, considering the complexity of the processing operations and the nature of the data.
Art. 64. The rights and principles expressed in this Law do not exclude others provided for in the national legal system related to the matter or in international treaties to which the Federative Republic of Brazil is a party.
Art. 65. This Law enters into force: (Wording provided by Law No. 13,853, of 2019)
I - December 28, 2018, regarding arts. 55-A, 55-B, 55-C, 55-D, 55-E, 55-F, 55-G, 55-H, 55-I, 55-J, 55-K, 55-L, 58- A and 58-B; and (Included by Law No. 13,853 of 2019)
IA - August 1, 2021, regarding arts. 52, 53 and 54; (Included by Law No. 14,010 of 2020)
II - 24 (twenty-four) months after the date of its publication, regarding the other articles. (Included by Law No. 13,853 of 2019)
Brasilia, August 14, 2018; 197th of Independence and 130th of the Republic.
MICHEL TEMER
Garden Torquato
Aloysio Nunes Ferreira Filho
Eduardo Refinetti Guardia
Esteves Pedro Colnago Junior
Gilberto Magalhaes Occhi
Gilberto Kassab
Wagner de Campos Rosario
Gustavo do Vale Rocha
Ilan Goldfajn
Raul Jungmann
Eliseu Padilha