TUDO O QUE REALMENTE PRECISA SABER SOBRE A #LGPD

Denise Tavares

7 Jul 202022:08

Summary

TLDRThis video provides an essential overview of Brazil's General Data Protection Law (LGPD), enacted in 2018. It explains the law's application to both individuals and businesses, detailing key concepts such as personal data, sensitive data, and anonymized data. The video highlights the rights of data subjects, including access, correction, and deletion of data, as well as the responsibilities of companies in ensuring data protection. It also covers the creation of the National Data Protection Authority (ANPD), the legal bases for data processing, and the penalties for non-compliance, offering crucial insights for businesses and individuals alike.

Takeaways

😀 LGPD (General Data Protection Law) was approved in 2018 and applies to businesses of all sizes, including small businesses and global corporations, as well as independent professionals.
😀 Personal data includes any information that can identify a person, such as names, addresses, emails, and even professional details like occupation.
😀 Sensitive data, such as health information, racial or ethnic origin, religious beliefs, and political opinions, is subject to stricter protection under LGPD.
😀 Data anonymization must be irreversible for it to be outside the scope of LGPD, and organizations should be cautious with small sample sizes to prevent identification of individuals.
😀 LGPD applies to both physical and digital data, meaning businesses must safeguard both electronic and paper records.
😀 Data controllers are responsible for defining how personal data is used, while data processors handle data on behalf of the controller. Both share responsibility in case of data misuse or damage.
😀 The Data Protection Officer (DPO) acts as the liaison between the organization, data subjects, and regulatory authorities. DPOs are required for companies dealing with large-scale data processing activities.
😀 Key principles of LGPD include purpose limitation, transparency, necessity, security, and accountability. Organizations must align their data practices with these principles.
😀 Legal bases for data processing include consent, legitimate interest, contract necessity, legal obligation, and public health protection. Consent must be clear, informed, and specific.
😀 Data subjects have rights under LGPD, including the right to access, correct, delete, or request the transfer (portability) of their data, as well as the right to withdraw consent.
😀 Non-compliance with LGPD can lead to severe penalties, including fines up to 2% of an organization's revenue, capped at 50 million reais per violation, and possible suspension of data processing activities.

Q & A

What is the LGPD and why was it created?
-The LGPD (Lei Geral de Proteção de Dados) is Brazil's General Data Protection Law, approved in August 2018. It regulates how personal data should be handled by companies and public entities, ensuring individuals' privacy rights are protected and providing guidelines for data processing activities.
Who does the LGPD apply to?
-The LGPD applies to any entity—whether private or public—that processes personal data in Brazil. This includes small businesses, large corporations, and autonomous professionals. It also applies to foreign companies that offer goods or services to individuals in Brazil or collect data from Brazilian citizens.
What is considered personal data under the LGPD?
-Personal data is any information that can identify a person, such as names, addresses, emails, IP addresses, financial data, and health-related information. It also includes any other data that can be linked to an individual, either on its own or when combined with other data.
What is the difference between personal data and sensitive personal data?
-Personal data refers to any information that identifies or can identify a person. Sensitive personal data, on the other hand, is a subset of personal data that includes more sensitive information, such as race, ethnicity, health data, religious beliefs, political opinions, or sexual orientation. It is subject to stricter regulations.
What does the term 'data processing' mean in the context of the LGPD?
-Data processing refers to any operation or set of operations performed on personal data, including collection, storage, transmission, modification, deletion, and sharing. Essentially, it covers all activities a company performs on personal data.
What is the role of the Data Protection Authority (ANPD)?
-The ANPD (National Data Protection Authority) is responsible for overseeing and guiding the implementation of the LGPD. It also monitors compliance, issues regulations, and imposes sanctions on companies that violate the law. The ANPD is critical in ensuring that data protection practices are properly followed in Brazil.
What are the main rights of data subjects under the LGPD?
-Data subjects (individuals whose data is being processed) have several rights under the LGPD, including the right to access their data, correct inaccuracies, request data deletion, revoke consent, transfer data to another service provider, and challenge automated decision-making processes.
What are the legal bases for processing personal data under the LGPD?
-The LGPD provides several legal bases for processing personal data: consent (explicit and informed permission from the data subject), compliance with a legal obligation, execution of a contract, legitimate interest, protection of life or physical safety, and health-related purposes, among others.
What obligations do companies have under the LGPD to protect personal data?
-Companies must implement security measures to protect personal data, document and track all data processing activities, ensure data is only collected for legitimate and specific purposes, and delete data once it is no longer needed. They are also required to notify the ANPD and affected individuals in case of data breaches.
What penalties can companies face for non-compliance with the LGPD?
-Companies that fail to comply with the LGPD can face sanctions such as fines up to 2% of their revenue (capped at R$ 50 million per violation), suspension of data processing activities, or even a full cessation of such activities. Individuals can also file lawsuits against non-compliant entities.