In 2018, the General Data Protection Law (Law 13.709/2018 – “LGPD”) was enacted, regulating practices related to the handling of personal data in general and no longer sparse and sectoral, as until then the right to privacy and data protection was regulated in Brazil. On September 18, 2020, the LGPD entered into force, except for Articles 52, 53 and 54 of the LGPD, which addresses administrative sanctions and have been in force since August 1, 2021, pursuant to Law 14.010/2020.
The LGPD establishes a new legal framework to be followed in the handling of personal data and provides for, among others, the rights of personal data subjects, the legal bases applicable to the protection of personal data, the requirements for obtaining consent, the obligations and requirements related to security incidents and leaks and data transfers, as well as the authorization for the creation of the National Data Protection Authority, responsible for preparing guidelines and applying administrative sanctions in case of non-compliance with the LGPD. On August 26, 2020, the federal executive branch issued Decree 10.474/2020 approving the regulatory framework and the demonstrative table of commissioned positions and trust functions of the National Data Protection Authority (“ANPD”).
The Company collects, uses, processes, stores and manages personal data in the normal course of its business. Such personal data may be handled in violation of the legislation and are subject to security incidents, particularly invasion, violation, blocking, kidnapping or leaks. The Company must also provide a secure environment for the handling of data of holders. The investment to maintain the technical and administrative conditions for information security and protection of personal data at the Company will also be necessary, including for the support of its corporate governance framework for the protection of personal data. Moreover, according to the LGPD, the Company has a legal duty to maintain a communication channel with the personal data subjects on which it carries out handling activities.
The LGPD also establishes that the following information must be provided to data subjects, including through privacy notices: (i) specific handling purpose(s); (ii) handling means and duration; (iii) identification of the data controller; (iv) data controller contact information; (v) information regarding the sharing of personal data with third parties and the purpose; and (vi) liability of the processing agents involved.
Since August 2021, with the entry into force of the LGPD sanctions, the Company and its subsidiaries may be subject to sanctions, gradually, individually or cumulatively, of (i) a warning, with an indication of the deadline for adopting corrective measures, (ii) obligation to disclose the incident, (iii) partial suspension of the operation of the database to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period, until the handling activity is regularized by the data controller, (iv) suspension of the exercise of the personal data handling activity referred to in the infraction for a maximum period of 6 (six) months, extendable for an equal period, (v) temporary blocking and/or deletion of personal data, and (vii) fine of up to 2% (two percent) of the revenue of the company, group or conglomerate in Brazil in its last year, excluding taxes, up to the global amount of R$ 50,000,000.00 per infraction.
Regardless of the applicability of administrative sanctions, non-compliance with any provisions set forth in the LGPD has the following risks: (i) the filing of individual or collective lawsuits, claiming indemnity for damages resulting from violations, based not only on the LGPD, but also on the sparse and sectoral legislation on data protection still in force; and (ii) the application of the penalties provided for in the Brazilian Civil Rights Framework, in case of violation of its provisions, notably the security rules for the online storage of information.
Furthermore, the Company may be liable for material, moral, individual or collective damages caused and be held jointly and severally liable for material, moral, individual or collective damages caused by the Company and its subsidiaries, due to non-compliance with the obligations established by the LGPD. Thus, failures in the protection of personal data handled by the Company, as well as the inadequacy of the applicable legislation, can lead to high fines, disclosure of the incident to the market, deletion of personal data from the base, and even the suspension of its handling activities, which could negatively affect reputation; image and results of the Company.