Do you know the new General Personal Data Protection Law (LGPD)?
The law establishes rules for the collection, use, treatment and storage of personal data (Personal data (art. 5, I): according to the law, personal data is information related to the identified or identifiable natural person.), whether they are employees, customers or suppliers. It will allow citizens greater control over their personal information, by explicitly consenting to the collection and use of the data and requiring options for the information owner to view correct and delete this data.
Sanctioned in 2018, the General Law on Protection of Personal Data (Law 13,709) came into force in September 2020. The LGPD inserts Brazil in the group of 120 countries that have a specific law for the protection of personal data. It influences the GDPR - General Data Protection Regulation, which is the law regulating personal data in European countries.
Must follow the procedures set out in the new law all companies that include in their information base individuals. Failure to comply with the new requirements may result in
fines that will come into effect from August 2021 The law determines that the data can be classified into two categories:
1 - Personal Data: (any information related to an identified or identifiable individual’s name, document number, e-mail, telephone, etc.);
2 - Sensitive Personal Data: (racial or ethnic origin, religious conviction, political opinion, affiliation to a union, organization of a religious, philosophical or political character, data relating to health or sexual life, genetic or biometric data);
The LGPD lists 10 principles that must be taken into account when processing personal data:
I - PURPOSE: treatment for legitimate, specific, explicit and informed purposes to the holder, without the possibility of further treatment in a manner incompatible with those purposes;
II - SUITABILITY: compatibility of the treatment with the purposes informed to the holder, according to the context of the treatment;
III - NEED: limitation of the treatment to the minimum necessary for the accomplishment of its purposes, with scope of the pertinent data, and not excessive in relation to the purposes of the data treatment;
IV - FREE ACCESS: guarantee, to the holders, free and easy consultation on the form and duration of the treatment, as well as on the completeness of their personal data;
The holder of personal data is entitled to obtain information from the company at any time and upon request on:
• Confirmation of the existence of data processing;
• Access to data maintained by the company;
• Correction of incomplete, inaccurate or outdated data;
• Anonymization, blocking or elimination of unnecessary, excessive or treated data in non-compliance with the provisions of the LGPD;
• Data portability to another service or product provider, upon express request;
• Elimination of the personal data processed when the consent given by the holder is revoked;
• Information with whom the company shared the data;
• Revocation of consent.O titular dos dados pessoais tem direito a obter da empresa, informações a qualquer momento e mediante requisição sobre:
V - DATA QUALITY: guarantee, to the holders, the data accuracy, clarity, relevance and update;
VI - TRANSPARENCY: guarantee, to the holders, clear, accurate and easily accessible information on the performance of the treatment and the respective treatment agents;
VII - SECURITY: use of technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;
VIII - PREVENTION: adoption of measures to prevent the occurrence of damages due to the processing of personal data;
IX - NON-DISCRIMINATION: impossibility of carrying out the treatment for illicit or abusive discriminatory purposes;
X - RESPONSABILIZATION AND ACCOUNTABILITY: demonstration, by the agent, of the adoption of effective measures capable of proving the observance and compliance with the rules of protection of personal data and, even, of the effectiveness of these measures.
For companies in order to be able to process this data, they must prove at least one of the following legal bases to carry out the processing of personal data (art. 7):
I - consent by the holder: free, informed and unambiguous expression by which the holder agrees with the treatment of his personal data for a specific purpose;
II - compliance with legal or regulatory obligations by the controller;
III - by the public administration, for the treatment and shared use of data necessary for the execution of public policies;
IV - for carrying out studies by a research body;
V - for the execution of a contract or preliminary procedures related to a contract to which the holder is a party;
VI - for the regular exercise of rights in judicial, administrative or arbitration proceedings;
VII - for the protection of the life or physical security of the holder or third party;
VIII - for the protection of health, in a procedure carried out by health professionals or by health entities;
IX - when necessary to meet the legitimate interests of the controller or third party, considered based on concrete situations, except in the event that the fundamental rights and freedoms of the holder prevail that require the protection of personal data; or
X - for credit protection;
Several countries already have data security policies placed, as you can see in the newsletter below:
The EBARA BOMBAS AMÉRICA DO SUL LTDA group, seeking continuous improvement, created an internal committee that acts directly on the implementation of this law and is adapting the security and compliance policy to the LGPD regulations. We believe that respecting the data privacy of our customers, employees and partners are part of our mission to contribute to society through high quality technologies and services, related to water, air and the environment.
We have a specific communication channel to answer questions about LGPD and can be accessed by anyone through the email: email@example.com