Lorem ipsum dolor sit amet, consectetur adipiscing elit. Mauris tempus leo in nulla bibendum dapibus. Donec ut vestibulum diam. Nullam non efficitur mi. Donec vestibulum cursus convallis. Nam scelerisque quam neque, feugiat dictum turpis maximus ut. Donec iaculis est non ultrices facilisis. Aliquam diam turpis, sodales ut consectetur a, tempus nec nis!. Sed ullamcorper accumsan orci eu rhoncus. Aenean ultrices ut massa vel vestibulum.
Morbi vel commodo ex. Aliquam vehicula, nulla id rhoncus tristique, arcu magna faucibus purus, hendrerit interdum elit erat eu neque. Nulla volutpat mi eget placerat mollis. Praesent pulvinar lectus nec rhoncus maximus. Curabitur eu risus in urna tristique rutrum. Quisque dapibus ac tortor at finibus. In commodo tempor massa, at eleifend ante fringilla a. In eu erat gravida, gravida nisl at, volutpat mi. Praesent quis rhoncus elit, sit amet commodo lectus. Duis elementum massa at elit efficitur, vitae dapibus neque consectetur. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus.
Fusce in ligula eu ex efficitur eleifend. Integer lobortis, est eu porttitor aliquet, justo velit condimentum nunc, vitae luctus massa lorem non tellus. Maecenas blandit tortor at sem congue imperdiet. Aenean vel dictum ipsum. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut fringilla lacinia condimentum. Pellentesque lobortis dictum urna at sollicitudin. Suspendisse lorem erat, condimentum ut vulputate quis, porta imperdiet neque. Praesent malesuada est ac nunc blandit, quis condimentum dui sodales. Proin eleifend metus a sem accumsan blandit.
The GDPR (General Data Protection Regulation) published under Regulation (EU) 2016/679 or General Data Protection Regulation (RGPD) and the General Personal Data Protection Law (LGPD) published by the Brazilian Federal Government under number 13.709, of August 14, 2018, the GDPR provides for the processing of personal data, including in digital media, by a natural person or legal entity governed by public or private law, with the aim of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
This website is managed by RD2Buzz, which assumes the obligation to protect the privacy of the reporter.
Information received by us is protected against unauthorized use and disclosure by virtue of specific provisions of the
LaW.
Violation of this law may result in criminal and /or civil liability.
We may collect personal information from you when you visit this website. Generally, you You can visit this site without telling us who you are unless you choose to provide that information.
Information security
The regulations and legislation formed here regulate the protection of personal data on the following grounds:
I – respect for privacy;
II – informative self-determination;
III – freedom of expression, information, communication and opinion;
IV – the inviolability of intimacy, honor and image;
Website visit data
The information we record when you access our website includes:
• your Ip address or server
• the date and time of your visit to the website
• the pages or files accessed by you
• the time required to transmit the information to you
• the previous Internet address from which you were referred to our website.
The information we collect is analyzed to show broken links on our website, bottlenecks and other problems. We use this information to maintain the website efficiently.
We may also collect information about the IT device you use. This information may be used to identify you and help us perform our functions and activities.
Cookies
We use cookies to maintain contact with a user through a session on the website. Cookies allow us to recognize browsers connection sequence as they access our website. We use two types of cookies – session cookies and persistent cookies.
Session cookies
These files are only used during a web browser session on our website.
All cookies will be removed immediately when you end your Internet session or turn off your computer. Our copy of your information will be automatically deleted twenty minutes after you last used our system.
This information is only used to help you use our website systems more efficiently, not to track your movements around the Internet or to record your information personal.
Persistent cookies
These files remain in one of your browser’s subfolders until you manually delete them or your browser deletes them based on the duration contained in the persistent cookie file (generally after the end of the current session).
No personal information is stored in the cookies used by our website. None attempt will be made to identify anonymous users or their browsing activities unless we are legally required to do so.
Other information
If, at any time, you believe that we have not adhered to the principles mentioned in this privacy statement, please contact us via email.
Any questions can be sent to info@rd2buzz.com
The person in charge of processing personal data has the function of acting as a communication channel between the institution, the data subjects and the National Data Protection Authority (ANPD).
Responsible
Paulo Bitar
Rua João Antônio de Oliveira, 1228 Torre Avanti Conjunto 143 – Mooca, São Paulo – SP / Brazil
Telefone:
+55(11)3042-8990
Email:
dpo@rd2buzz.com
Legal prediction:
LGPD, art. 5th, VIII
Assignments
Article 41, §2, of the LGPD
I – accept complaints and communications from holders, provide clarifications and adopt measures;
II – receive communications from the national authority and adopt measures;
III – guide the entity’s employees and contractors regarding the practices to be adopted in relation to the protection of personal data; It is
IV – carry out other attributions determined by the controller or established in complementary rules.
Consult the LGPD: http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm
EUROPE
Art. 37 GDPR Designation of the data protection officer
Consult: https://gdpr-info.eu/art-37-gdpr/
– California, Portugal & Brazil
The Right to Privacy is a constitutional and essential right for life in society, which guarantees the security of the private and private life of any individual, guaranteed by law, and he is responsible for keeping in particular all the events in the life of a person who do not fit in the public aspect.
With the recent changes, and the ease of sharing content, whether in visual or textual format, this right is increasingly being discussed by civil society.
It is necessary for the law to follow the new technologies that have emerged in the last decade, and update themselves to regulate the reality in which we live today.
It is up to all of us at RD2Buzz and you, who are reading this item, to ensure the best form of conduct in protecting yourself and never exposing anything that could harm third parties.
Here, we disclose what information we collect and how we use it (“Terms of Use” and “Privacy Notice”) so that there is more clarity of RD2Buzz’s commitment to the security, confidentiality and integrity of your personal data (“data”).
*This version was last updated on XXXXXXXXXX, 2023 and RD2Buzz may update it at any time, so we invite you to periodically consult this section. The conditions follow Law No. 13,709, of August 14, 2018, known as the General Law for the Protection of Personal Data (LGPD).
By using RD2Buzz services, you confirm that you have read, understood and accept the applicable terms and policies and are bound by them.
It is important to reinforce that our components are available in the form of APIS, with the proper documentation to be integrated/used by our Clients and, even if no data is sent to us, it is important that we guide:
Definitions:
Personal data: information related to an identified or identifiable natural person.
Sensitive personal data: personal data about racial or ethnic origin, religious conviction, political opinion, union affiliation or organization of a religious, philosophical or political nature, data referring to health or sexual life, genetic or biometric data, when linked to a natural person.
Holder: natural person to whom the personal data that are subject to processing refer.
Users (or user, when individually considered): all natural persons who use the services, whether they are data subjects or not.
Third: person or entity that does not directly participate in a contract, in a legal act or in a business, or that, in addition to the parties involved, may have an interest in a legal process.
Controller: natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data.
Operator: natural or legal person, public or private, who processes personal data on behalf of the controller.
Person in charge: person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD).
Treatment agents: the controller and the operator.
National Data Protection Authority (ANPD): public administration body responsible for ensuring, implementing and supervising compliance with this Law throughout the national territory.
Treatment: any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.
Shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared treatment of personal databases by public bodies and entities in compliance with their legal competences, or between these and private entities, reciprocally, with specific authorization, to one or more treatment modalities allowed by these public entities, or private entities.
Database: structured set of personal data, established in one or several places, in electronic or physical support.
Malicious codes: any computer program, or part of a program, built with the intention of causing damage, obtaining unauthorized information or interrupting the operation of computer systems and/or networks.
Cookies: are files stored on users’ computers or mobile devices when accessing a web page that stores and retrieves information related to their browsing.
Confidentiality: guarantee that information is accessible only by authorized persons. Integrity: guarantee of the accuracy and completeness of the information and the methods of its processing.
Information security: set of practices and methods aimed at preserving the confidentiality, integrity and availability of information.
Anonymization: use of reasonable technical means available at the time of processing, through which data loses the possibility of direct or indirect association with an individual.
Anonymized data: data relating to a holder who cannot be identified, considering the use of reasonable technical means available at the time of processing.
Breach of personal data: breach of security that causes, accidentally or unlawfully, the destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, stored or subject to any other type of treatment.
Legislation:
Law No. 13,709, of August 14, 2018: General Law for the Protection of Personal Data (Lei Geral de Proteção de Dados Pessoais – LGPD);
Law No. 12,965, of April 23, 2014 (Marco Civil da Internet): establishes principles, guarantees, rights and duties for the use of the Internet in Brazil.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and regulations issued under HIPAA are a set of US health laws that establish requirements for the use, disclosure, and protection of individually identifiable health information. The scope of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.
HIPAA applies to covered entities (specifically, health care providers, health plans, and health clearings) that create, receive, maintain, transmit, or access patient protected health information (PHI). HIPAA further applies to business associates of covered entities who perform certain functions or activities involving PHI as part of providing services to the covered entity or on behalf of the covered entity.
When a covered entity engages the services of a cloud service provider, the cloud service provider would be a business associate under HIPAA. In addition, when an associated company subcontracts with a cloud service provider to create, receive, maintain or transmit PHI, the cloud service provider also becomes a business associate.
HIPAA regulations require covered entities (defined by the Rules) to enter into agreements with business associates to ensure that PHI is adequately protected. This agreement is called the Trade Association Agreement. Among other things, a Business Associate Agreement sets forth the business associate’s permitted and required uses and disclosures of PHI based on the relationship between the parties and the activities or services being performed by the business associate. To support our customers’ HIPAA compliance when using business products and services from cloud providers, which will enter into Business Association Agreements with their covered entity and business associated customers.
What is Hitrust?
The Health Information Trust Alliance’s (HITRUST) Common Security Framework (CSF), in its own words, “is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. Developed in collaboration with healthcare and information security professionals, the HITRUST CSF streamlines healthcare regulations and standards into a comprehensive security framework.”
The HITRUST CSF unifies security controls from federal law (such as HIPAA and HITECH), state law (such as Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth), and non-governmental frameworks (such as the PCI Security Standards Council) into a single structure, customized according to the needs of the healthcare area.
See: https://www.hhs.gov/hipaa/index.html
BRAZIL
What does the General Personal Data Protection Law – LGPD deal with?
The General Data Protection Law – LGPD (Law n. 13.709, of 2018), provides for the processing of personal data of natural persons, defining the hypotheses in which such data may legitimately be used by third parties and establishing mechanisms to protect data subjects data against inappropriate uses.
The LGPD is applicable to the data of natural persons and must be complied with by natural persons and public or private entities, regardless of the country of their headquarters or where the data is located, that carry out any processing operation of personal data, such as the collection , storage and sharing of data with third parties, provided that such treatment (i) is carried out in the national territory, (ii) has as its object the offer or supply of goods or services or the processing of data of individuals located in the national territory, or , still, (iii) when the personal data have been collected in the national territory.
How can personal data protection legislation help Brazil?
The LGPD aims to protect the fundamental rights related to the information sphere of the citizen. Thus, the Law introduces a series of new rights that ensure greater transparency regarding the processing of data and give the holder protagonism regarding its use.
The approval of the LGPD and the creation of the National Data Protection Authority – ANPD also represent important steps towards placing Brazil on the same level as many other countries that have already approved laws and institutional structures of this nature.
The constitution of a legal environment focused on the protection of personal data also corresponds to the alignment with the guidelines of the Organization for Economic Cooperation and Development – OECD, which for decades has played an important role in promoting respect for privacy as a fundamental value and as a assumption for the free flow of data.
Finally, from the point of view of data processing agents, whether companies or the government itself, the LGPD brings the opportunity to improve data governance policies, with the adoption of good practice rules and the incorporation of technical and administrative measures. that mitigate risks and increase data subject confidence in the organization.
When did the LGPD come into effect?
The law entered into force in a staggered manner:
· On December 28, 2018, regarding arts. 55-A, 55-B, 55-C, 55-D, 55-E, 55-F, 55-G, 55-H, 55-I, 55-J, 55-K, 55-L, 58- A and 58-B, which deal with the constitution of the National Data Protection Authority – ANPD and the National Council for the Protection of Personal Data and Privacy – CNPDPP.
· On September 18, 2020, regarding the other articles of the law, with the exception of the provisions dealing with the application of administrative sanctions;
· On August 1, 2021, regarding arts. 52. 53 and 54, which deal with administrative sanctions.
With the LGPD, how is the Positive Register?
As it is a general law, the rules of the Consumer Protection Code (Law No. 8078/90) for the treatment of negative data and the Positive Registration Law (Law No. 12414/2011) for the treatment of of the positive data.
In Article 7, Item X, of the LGPD, the legislator expressly mentions that the processing of personal data can be carried out for “credit protection”. In the same item, it recognizes the existing provisions in the relevant legislation, thus including the laws that deal specifically with credit.
What is personal data processing, according to the LGPD?
According to the LGPD, processing of personal data is any operation carried out with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or information control, modification, communication, transfer, diffusion or extraction.
What are personal data?
The LGPD adopts an open concept of personal data, defined as information related to an identified or identifiable natural person.
Thus, in addition to the basic information related to the name, registration number in the General Registry (RG) or in the National Taxpayer Registry (CPF) and residential address, other data that allow the identification of an individual are also considered personal data, such as sexual orientation, political party affiliation, medical history and also those referring to the individual’s biometric aspects.
According to the LGPD, those used to form the behavioral profile of a certain natural person, if identified, may also be considered as personal data.
The LGPD adopts an open concept of personal data, defined as information related to an identified or identifiable natural person.
Thus, in addition to the basic information related to the name, registration number in the General Registry (RG) or in the National Taxpayer Registry (CPF) and residential address, other data that allow the identification of an individual are also considered personal data, such as sexual orientation, political party affiliation, medical history and also those referring to the individual’s biometric aspects.
According to the LGPD, those used to form the behavioral profile of a certain natural person, if identified, may also be considered as personal data.
With the LGPD, how is the Positive Register?
As it is a general law, the rules of the Consumer Protection Code (Law No. 8078/90) for the treatment of negative data and the Positive Registration Law (Law No. 12414/2011) for the treatment of of the positive data.
In Article 7, Item X, of the LGPD, the legislator expressly mentions that the processing of personal data can be carried out for “credit protection”. In the same item, it recognizes the existing provisions in the relevant legislation, thus including the laws that deal specifically with credit.
What is personal data processing, according to the LGPD?
According to the LGPD, processing of personal data is any operation carried out with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or information control, modification, communication, transfer, diffusion or extraction.
What are personal data?
The LGPD adopts an open concept of personal data, defined as information related to an identified or identifiable natural person.
Thus, in addition to the basic information related to the name, registration number in the General Registry (RG) or in the National Taxpayer Registry (CPF) and residential address, other data that allow the identification of an individual are also considered personal data, such as sexual orientation, political party affiliation, medical history and also those referring to the individual’s biometric aspects.
According to the LGPD, those used to form the behavioral profile of a certain natural person, if identified, may also be considered as personal data.
The LGPD adopts an open concept of personal data, defined as information related to an identified or identifiable natural person.
Thus, in addition to the basic information related to the name, registration number in the General Registry (RG) or in the National Taxpayer Registry (CPF) and residential address, other data that allow the identification of an individual are also considered personal data, such as sexual orientation, political party affiliation, medical history and also those referring to the individual’s biometric aspects.
According to the LGPD, those used to form the behavioral profile of a certain natural person, if identified, may also be considered as personal data.
What is sensitive personal data?
Sensitive personal data are those to which the LGPD has given even greater protection, as they are directly related to the most intimate aspects of an individual’s personality.
Thus, sensitive personal data are those related to racial or ethnic origin, religious conviction, political opinion, union membership or organization of a religious, philosophical or political nature, data referring to health or sex life, genetic or biometric data, when linked to an individual.
About the data considered sensitive, how about the issue of biometric data?
The LGPD classifies biometric data as sensitive personal data, providing even more rigor in the criteria applicable to its treatment. In these cases, the treatment may be carried out without the holder’s consent when dealing with hypotheses that include compliance with a legal or regulatory obligation and fraud prevention and the holder’s security, among others.
What data is protected by the LGPD?
The LGPD guarantees the protection of all data whose holders are natural persons, whether in physical or digital format. Thus, the LGPD does not reach data held by legal entities – which are not considered personal data for the purposes of the Law.
In what cases can personal data be processed?
With the entry into force of the LGPD, the processing of personal data can be carried out when any of the hypotheses provided for in its article 7 is verified or, in the case of sensitive personal data, one of the hypotheses provided for in article 11. ten distinct legal bases for the processing of personal data and eight legal bases that legitimize the processing of sensitive personal data.
It is worth noting that the LGPD is also applicable to data whose access is public and to those made manifestly public by the holders, safeguarding the observance of the general principles and rights of the holders provided for in the Law.
What are the legal bases for processing personal data?
The processing of personal data (non-sensitive) may be carried out in any of the following cases, provided for in art. 7 of the LGPD:
· Upon the provision of consent by the holder;
· For compliance with a legal or regulatory obligation by the controller;
· For the execution of public policies, by the public administration;
· To carry out studies by research body;
· For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject;
· For the regular exercise of rights in judicial, administrative or arbitration proceedings;
· For the protection of the life or physical safety of the holder or a third party;
· For the protection of health, exclusively, in a procedure carried out by health professionals, health services or health authorities;
· To meet the legitimate interests of the controller or a third party, except in the event that the holder’s fundamental rights and freedoms prevail that require the protection of personal data;
· For credit protection.
What are the rights of citizens with the entry into force of the LGPD?
The LGPD provides for a wide range of rights for data subjects, among which the following can be highlighted:
· facilitated access to information on the processing of your data, which must be made available in a clear, adequate and conspicuous manner;
· confirmation of the existence of treatment;
· data access;
· correction of incomplete, inaccurate or outdated data;
· anonymization, blocking or deletion of data that is unnecessary, excessive or treated in violation of the provisions of this Law;
· portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;
· deletion of personal data processed with the consent of the holder, except in the cases provided for in art. 16 of the LGPD;
· information on public and private entities with which the controller shared data;
· information on the possibility of not giving consent and on the consequences of the refusal;
· revocation of consent, upon express manifestation of the holder, through a free and facilitated procedure;
· petition in relation to your data against the controller, before the national authority and before consumer protection bodies;
· opposition to treatment carried out based on one of the hypotheses of waiver of consent, in case of non-compliance with the provisions of the LGPD;
· request for a review of decisions taken solely on the basis of automated processing of personal data that affect your interests, including decisions aimed at defining your personal, professional, consumption and credit profile or aspects of your personality; It is
· provision, upon request, of clear and appropriate information regarding the criteria and procedures used for automated decision-making, observing commercial and industrial secrets.
What are the rights of citizens with the entry into force of the LGPD?
The LGPD provides for a wide range of rights for data subjects, among which the following can be highlighted:
· facilitated access to information on the processing of your data, which must be made available in a clear, adequate and conspicuous manner;
· confirmation of the existence of treatment;
· data access;
· correction of incomplete, inaccurate or outdated data;
· anonymization, blocking or deletion of data that is unnecessary, excessive or treated in violation of the provisions of this Law;
· portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;
· deletion of personal data processed with the consent of the holder, except in the cases provided for in art. 16 of the LGPD;
· information on public and private entities with which the controller shared data;
· information on the possibility of not giving consent and on the consequences of the refusal;
· revocation of consent, upon express manifestation of the holder, through a free and facilitated procedure;
· petition in relation to your data against the controller, before the national authority and before consumer protection bodies;
· opposition to treatment carried out based on one of the hypotheses of waiver of consent, in case of non-compliance with the provisions of the LGPD;
· request for a review of decisions taken solely on the basis of automated processing of personal data that affect your interests, including decisions aimed at defining your personal, professional, consumption and credit profile or aspects of your personality; It is
· provision, upon request, of clear and appropriate information regarding the criteria and procedures used for automated decision-making, observing commercial and industrial secrets.
What do businesses and government need to do to comply?
The LGPD establishes a series of measures that must be adopted by processing agents, which include identifying the legal bases that justify data processing activities; the adoption of internal processes and policies that ensure compliance with personal data protection rules; and the establishment of a contact channel with the holders of personal data.
The Law determines that data controllers must appoint a Person in Charge to act as a communication channel between the controller, the data subjects and the ANPD. In certain circumstances, depending on the nature and size of the entity or the volume of data processing operations, the ANPD may establish hypotheses for waiving the need for its indication.
We still don’t have anything according to what the LGPD asks for. What to do?
It is important to remember that personal data permeates the entire organization, so the success of this work will depend on everyone’s effort and involvement. The first steps must have the company’s management involved and aware of the need to comply, in order to have a strong sponsor, in order to form a multidisciplinary team that involves several areas, such as compliance, technology, security and governance, legal and resources humans.
What is the desired profile for the Supervisor (DPO)?
The Designation of the Incumbent must be based on the professional qualities of the nominee, particularly in their legal and regulatory knowledge, in technology and information security, organizational leadership, awareness raising/educator, and also, with knowledge in governance. The more complex the data processing activities carried out by the organization, the greater the level of technical knowledge of the Person in Charge of Personal Data Processing (DPO).
What is the involvement of the IT area in the adequacy project?
The participation of the IT area is very important in the process of becoming compliant, as it is involved from supporting the availability of systems that support privacy demands to ensuring that information security tools, processes and good practices are in place and in accordance.
This area has a wide and comprehensive participation since the Law makes it clear that companies must adopt technical and administrative measures to ensure the protection of their personal data. However, the involvement of all areas is essential, especially the legal, compliance and business areas.
What is the job of the Foreman (DPO) in practice?
The Person in Charge will play a fundamental role in the organizations’ strategic decisions and must have autonomy over activities involving any type of data processing, in addition to having direct contact with the company’s management, making decisions that comply with the law.
As the LGPD deals with in Article 41, the DPO/In charge must have the following attributions:
· accept complaints and communications from holders, provide clarifications and adopt measures;
· receive communications from the national authority and take action;
· guide the entity’s employees and contractors regarding the practices to be adopted in relation to the protection of personal data;
· carry out other attributions determined by the controller or established in complementary rules.
In addition to these attributions, the ANPD, the National Data Protection Authority, may establish additional rules on the definition and attributions of the person in charge.
What is the involvement of the IT area in the adequacy project?
The participation of the IT area is very important in the process of becoming compliant, as it is involved from supporting the availability of systems that support privacy demands to ensuring that information security tools, processes and good practices are in place and in accordance.
This area has a wide and comprehensive participation since the Law makes it clear that companies must adopt technical and administrative measures to ensure the protection of their personal data. However, the involvement of all areas is essential, especially the legal, compliance and business areas.
How important is technology for the implementation of the LGPD?
The process to comply with the LGPD must go through people, areas, processes, systems, legal and technology partners. Due to all these variables involved, we understand that technology does make a difference and it is important, because, depending on the size and level of complexity of an organization, managing all these entities in accordance with the requirements of the law without a management tool that can aggregating, registering and controlling all these demands can become an extremely difficult project.
According to Art. 49 of the Law, the systems used for the processing of personal data must be structured in order to meet the security requirements, the standards of good practices and governance and the general principles provided for in this Law and other regulatory standards.
What is Data Mapping and how to do it?
Data Mapping consists of raising, through the structure of the organization, own resources or with a specialized company, all items associated with personal data. With this information, an inventory is created, which can basically be of four types:
· Active tables or entire databases, applications that retain non-electronic data or physical files;
· Suppliers of systems with which personal data is shared, such as a CRM in the cloud;
· Processes or activities that somehow manipulate personal information;
· Partner companies also handle personal data under our responsibility.
After defining what will be inventoried, the next step is to map it through an iterative and incremental process. That is, it is interesting to start mapping what is known, since, from the outset, it is already possible to become aware of the gaps and possible risks involved.
Can the consent form be written or digital? In the case of digital, is there any rule to follow?
The term of consent can be acquired both physical and digital, but it must be, as stated in Art. 8, “in writing or by other means that demonstrates the expression of the holder’s will”. Like the GDPR, the General Data Protection Law brings the concern to limit the retention of data only to what is strictly necessary for its treatment.
In the Law there is no fixed period for the retention of processed data, but it establishes, in its Art. 16, that “personal data will be eliminated after the end of their treatment, within the scope and technical limits of activities”. It is observed, therefore, that the data retention period in the LGPD is conditioned to the purpose declared by the person responsible for the treatment, and that, once used, they must be deleted from their servers.
What is the National Personal Data Protection Authority – ANPD?
ANPD is the federal public administration body responsible for ensuring the protection of personal data and for implementing and overseeing compliance with the LGPD in Brazil.
See: https://www.gov.br/anpd/pt-br
What is the role of the National Data Protection Authority – ANPD?
ANPD’s institutional mission is to ensure the broadest and most correct observance of the LGPD in Brazil and, to that extent, guarantee due protection to the fundamental rights of freedom, privacy and free development of the personality of individuals.
Article 55-J of the LGPD establishes the main powers of the ANPD, among which the following stand out:
· develop guidelines for the National Policy for the Protection of Personal Data and Privacy;
· monitor and apply sanctions in the event of data processing carried out in breach of the legislation, through an administrative process that ensures the contradictory, ample defense and the right of appeal;
· promote awareness among the population of norms and public policies on the protection of personal data and security measures;
· encourage the adoption of standards for services and products that facilitate the holders’ exercise of control over their personal data, which should take into account the specificities of the activities and the size of those responsible;
· promoting cooperation actions with personal data protection authorities in other countries, whether of an international or transnational nature;
· edit regulations and procedures on personal data protection and privacy, as well as on reports on the impact of personal data protection for cases in which the treatment poses a high risk to the guarantee of the general principles of protection of personal data provided for in this Law;
· listen to treatment agents and society in matters of relevant interest and report on their activities and planning;
· edit rules, guidelines and simplified and differentiated procedures, including deadlines, so that micro and small companies, as well as business initiatives of an incremental or disruptive nature that declare themselves startups or innovation companies, can adapt to the Law;
· deliberate, in the administrative sphere, on a terminating basis, on the interpretation of the LGPD, its competences and omissions;
· articulate with public regulatory authorities to exercise their powers in specific sectors of economic and government activities subject to regulation; It is
· Implement simplified mechanisms, including electronic means, for registering complaints about the processing of personal data in violation of this Law.
When was the ANPD created?
The ANPD was created by Provisional Measure n. 869, of December 27, 2018, later converted into Law n. 13,853, of August 14, 2019.
In turn, Decree 10,474, of August 26, 2020, approved the Regulatory Structure and the Demonstrative Table of Positions in Commissions and Trust Functions of the ANPD, with entry into force on the date of publication of the appointment of the Director-President of the ANPD in the Federal Official Gazette.
What is the structure of the ANPD?
Pursuant to art. 55-C of the LGPD and art. 3 of Decree 10,474/20, the ANPD has the following composition:
· Board of Directors, the highest management body, made up of five Directors, including the Chief Executive Officer;
· National Council for the Protection of Personal Data and Privacy, a consultative body made up of 23 representatives from public bodies, civil society, the scientific community, the productive and business sector and the labor sector.
· Direct and immediate assistance bodies to the Board of Directors:
a) General Secretariat;
b) General Coordination of Administration; It is
c) General Coordination of Institutional and International Relations;
· Sectional bodies:
a) Internal Affairs;
b) Ombudsman; It is
c) Legal Advice; It is
· Singular specific bodies:
a) General Coordination of Standardization;
b) General Inspection Coordination; It is
c) General Coordination of Technology and Research.
See: https://www.gov.br/anpd/pt-br/acesso-a-informacao/institucional/estrutura-organizacional-1
Is the ANPD an independent authority?
Despite being a body of the direct federal public administration, the ANPD has some institutional characteristics that give it greater independence, such as technical and decision-making autonomy and the fixed mandate of the Directors.
The LGPD also provides that the legal nature of the ANPD is transitory and may be transformed by the Executive Branch into an indirect federal public administration entity, subject to a special autarchic regime and linked to the Presidency of the Republic. Such assessment shall take place within 2 (two) years from the date of entry into force of the regulatory structure of the ANPD.
Can the ANPD apply sanctions for non-compliance with the law?
It should be remembered, firstly, that the provisions of the LGPD dealing with administrative sanctions will only come into force on August 1, 2021. After that date, the ANPD may apply, after an administrative procedure that allows full defense, the following administrative sanctions :
· warning, indicating the deadline for adopting corrective measures;
· simple fine of up to 2% (two percent) of the billing of the private legal entity, group or conglomerate in Brazil in its last financial year, excluding taxes, limited in total to R$ 50,000,000.00 ( fifty million reais) per infraction;
· daily fine, subject to the total limit referred to in item II;
· publication of the infraction after its occurrence has been duly investigated and confirmed;
· blocking of the personal data referred to in the infringement until it is regularized;
· deletion of the personal data to which the infringement refers;
· partial suspension of the functioning of the database to which the infraction refers for a maximum period of 6 (six) months, extendable for an equal period, until the processing activity is regularized by the controller;
· Suspension of the personal data processing activity referred to in the infringement for a maximum period of 6 (six) months, extendable for an equal period; It is
· partial or total ban on carrying out activities related to data processing.
Does the ANPD work with other entities and public bodies in the exercise of its powers?
Yes. The ANPD must coordinate with other entities and public bodies in order to ensure the fulfillment of its institutional mission, acting as a central body for interpreting the LGPD and establishing norms and guidelines for its implementation.
The LGPD determines, for example, that the ANPD and the public bodies and entities responsible for regulating specific sectors of economic and governmental activity must coordinate their activities, in the corresponding spheres of action, with a view to ensuring the fulfillment of their attributions with the greatest possible care. efficiency and promote the proper functioning of the regulated sectors. Likewise, the LGPD determines that the ANPD must communicate to the competent authorities the criminal offenses of which it becomes aware.
It is important to note that the application of the sanctions provided for in the LGPD is the exclusive responsibility of the ANPD, and its powers will prevail, with regard to the protection of personal data, over the related powers of other entities or public administration bodies.
What is the profile of ANPD Directors? How are they chosen?
The LGPD determines that the Board of Directors of ANPD will be composed of 5 (five) directors, including the Chief Executive Officer. The members are chosen by the President of the Republic and appointed by him, after approval by the Federal Senate, and must be chosen among Brazilians who have an unblemished reputation, a superior level of education and a high reputation in the field of specialty of the positions to which they will be appointed.
The term of office of the members of the Board of Directors will be 4 (four) years. In order to ensure that such terms do not coincide (that is, that they end in different years), the terms of the first appointed members of the Board of Directors will be 2 (two), 3 (three), 4 (four), 5 (five) and 6 (six) years, as established in the appointment act.
What is the National Council for the Protection of Personal Data and Privacy – CNPDPP for?
The National Council for the Protection of Personal Data and Privacy is an advisory entity that enables the participation of different social segments in shaping the regulatory environment for the protection of personal data. Its main duties are:
· propose strategic guidelines and provide subsidies for the preparation of the National Policy for the Protection of Personal Data and Privacy and for the performance of the ANPD;
· preparing annual reports evaluating the implementation of the actions of the National Policy for the Protection of Personal Data and Privacy;
· suggest actions to be carried out by the ANPD;
· preparing studies and holding debates and public hearings on the protection of personal data and privacy; It is
· disseminate knowledge about the protection of personal data and privacy to the population.
Participation in the National Council for the Protection of Personal Data and Privacy will be considered to provide a relevant, unpaid public service.
How will the members of the CNPDPP be chosen?
The CNPDPP is composed of twenty-three representatives, holders and alternates, of the following bodies and entities:
· 5 (five) from the federal Executive Branch;
· 1 (one) from the Federal Senate;
· 1 (one) from the Chamber of Deputies;
· 1 (one) from the National Council of Justice;
· 1 (one) from the National Council of the Public Ministry;
· 1 (one) from the Brazilian Internet Steering Committee;
· 3 (three) from civil society entities with activities related to the protection of personal data;
· 3 (three) from scientific, technological and innovation institutions;
· 3 (three) union confederations representing the economic categories of the productive sector;
· 2 (two) entities representing the business sector related to the area of personal data processing; It is
· 2 (two) from entities representing the labor sector.
The members of the CNPDPP and their alternates will be appointed by the President of the Republic.
The nominations of members representing the bodies of the Executive Power, the Legislative Power, the National Council of Justice, the National Council of the Public Ministry and the Internet Management Committee in Brazil must be submitted by the holders of the bodies to the Minister of State Head of the Civil House of the Presidency of the Republic.
The other nominations may be freely submitted to the Board of Directors of ANPD by entities representing the different segments, within a period of thirty days, counting from the date of publication of the call notice in the Official Gazette of the Union. Upon receipt of the nominations, the Board of Directors will form a triple list of holders and alternates for each vacancy, which will be forwarded to the Minister of State, Chief of Staff of the Presidency of the Republic, for appointment by the President of the Republic.
See: https://www.gov.br/anpd/pt-br/composicao-1/conselho-nacional-de-protecao-de-dados-pessoais-e-privacidade-cnpd
How will society participate in the work of the ANPD?
Under the terms of the LGPD, it is up to the ANPD to listen to treatment agents and society in matters of relevant interest and to report on its activities and planning. Furthermore, the regulations and standards issued by the ANPD must be preceded by public consultation and hearing, as well as by regulatory impact analysis.
Finally, it should be remembered that the CNPDPP is the form of institutionalized participation of different social groups in the ANPD.
Will natural and legal persons, public or private, who carry out personal data processing activities have to transfer their databases to the ANPD?
Individuals or legal entities that carry out data processing will not be required to transfer their databases to the ANPD. It is up to the ANPD to supervise and apply sanctions when data processing occurs in breach of data protection legislation, through administrative proceedings, with contradictory and full defense.
EUROPE
What is the GDPR?
The General Data Protection Regulation is a European Union law that was implemented May 25, 2018, and requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory. The regulation includes seven principles of data protection that must be implemented and eight privacy rights that must be facilitated. It also empowers member state-level data protection authorities to enforce the GDPR with sanctions and fines. The GDPR replaced the 1995 Data Protection Directive, which created a country-by-country patchwork of data protection laws. The GDPR, passed in European Parliament by overwhelming majority, unifies the EU under a single data protection regime.
Read our summary of the GDPR for an overview of the law. ( https://gdpr.eu/what-is-gdpr/ )
Who must comply with the GDPR?
Any organization that processes the personal data of people in the EU must comply with the GDPR. “Processing” is a broad term that covers just about anything you can do with data: collection, storage, transmission, analysis, etc. “Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so on. Even if an organization is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies.
Find more information about who must comply with the GDPR: https://gdpr.eu/companies-outside-of-europe/
What are the GDPR fines?
The GDPR allows the data protection authorities in each country to issue sanctions and fines to organizations it finds in violation. The maximum penalty is €20 million or 4% of global revenue, whichever is higher. Data protection authorities can also issue sanctions, such as bans on data processing or public reprimands.
Read more about how GDPR fines are assessed: https://gdpr.eu/fines/
How do I comply with the GDPR?
Organizations can comply with the GDPR by implementing technical and operational safeguards to protect personal data they control. The first step is to conduct a GDPR assessment to determine what personal data they control, where it is located, and how it is secured. They must also adhere to the privacy principles outlined in the GDPR, such as obtaining consent and ensuring data portability. You may also be required to appoint a Data Protection Officer and update your privacy notice ( https://gdpr.eu/privacy-notice/ ), among other organizational measures.
Review our GDPR checklist to learn more about the steps to compliance: https://gdpr.eu/checklist/
What is a Data Protection Officer?
A Data Protection Officer (DPO) is an employee within your organization who is responsible for understanding the GDPR and ensuring your organization’s compliance. The DPO is the main point of contact for the data protection authority. Typically, the DPO has knowledge of both information technology and law.
Learn more about the Data Protection Officer role here: https://gdpr.eu/data-protection-officer/
Does the GDPR require encryption?
The GDPR requires organizations to implement “appropriate technical and organizational measures” to secure personal data and provides a short list of options for doing so, including encryption. In many cases, encryption is the most feasible method of securing personal data. For instance, if you regularly send emails within your organization that contain personal information, it may be more efficient to use an encrypted email service than to anonymize the information each time.
ISO 27001 x ISO 27701
It is important initially to clarify the difference between ISO 27001 and ISO 27701.
The ISO 27001 standard – Information Security Management System – is a standard for implementing a management system focused on information security, while the ISO 27701 standard – Private Security Management System – is an extension of the 27001 standard, and aims to add new controls in the management system to ensure total privacy specifically of personal data.
That said, it is essential to emphasize that it is necessary to implement ISO 27001 so that it can be possible to extend its scope and also meet ISO 27701. Of course, it is possible (and recommended) to implement both in parallel, but it is not possible to implement only ISO 27701 without implementing ISO 27001, as the main controls related to the formation of a safe management system are in ISO 27001.
Important terms
Some terms of ISO 27701 have a direct mapping with LGPD terms, which shows the close relationship between the law and the extension rule. Are they:
PII – Personally Identifiable Information – (LGPD: Personal Data): Data that may allow the identification of the Data Subject.
PII Controller (LGPD: Data Controller): is the interested party that determines the purposes and means by which personal data will be processed;
PII Processor (LGPD: Data Processor): is the interested party that treats/processes personal data for the Data Controller, following its instructions;
Main PII (LGPD: Data Subject): natural person to whom the personal data that are subject to processing refer.
Who should implement ISO 27701?
Every organization, of any size and nature (public or private), that is responsible for processing personal data (PII Processor) or for controlling and making use of personal data (PII Controller), will benefit from adopting the best practices defined in ISO 27701. Management based on security and privacy risks seeks to help organizations avoid possible data leaks, improper access and other incidents that could lead to serious problems for the company.
What is ISO 27701?
The ISO 27701 standard was published on August 5, 2019 with the aim of being a logical adaptation to the LGPD and GDPR. It came as an extension standard to ISO 27001 to address this gap in ISO 27001, and can be purchased from the link above for approximately $190.00.
As previously mentioned, ISO 27701 extends the ISO 27001 standard to also include controls related to data privacy. This means that, in addition to the controls provided for by the Information Security Management System (ISMS), such as the guarantee of data integrity, confidentiality and availability, in order to comply with the ISO 27701 standard, this management system must be expanded to a “Privacy Information Management System” (PIMS), which is a management system also concerned with managing the privacy of personal data. This management system seeks to help companies manage the privacy risks related to personal data, whether in relation to the controller or the data processor.
It is important to emphasize that when certifying ISO 27001 + ISO 27701, the company CANNOT say that it is automatically adhering to the LGPD. However, this certification demonstrates that the company has a robust management system concerned with the privacy of personal data, following the best market practices for managing information security and data privacy. The LGPD is not, so far, officially certifiable, as it is not yet in force and certification mechanisms are still being discussed.
What are the main advantages of ISO 27701?
The main benefits gained from establishing a PIMS adhering to ISO 27701 are:
It shows its customers, suppliers and employees that the company is concerned with their data and information, generating increased trust;
Meets the main requirements of the LGPD and GDPR;
It makes it clear to all involved what are the roles and responsibilities of each one;
Increases the competence and awareness of employees regarding data security and privacy;
Improves internal processes, reducing the risk of data leaks;
Brings transparency in the controls established for privacy management. Everyone knows how data is handled and what is being done with it;
Facilitates agreements with business partners by increasing security and trust;
It easily integrates with the Information Security Management System that is required by ISO 27001.
Implementing the norm
To implement ISO 27701, it is necessary that ISO 27001 be implemented as well. For this, it is acceptable that the company has already certified or is in the process of certification of ISO 27001.
It is also normal for the company not to have ISO 27001. In this case, it is important to point out that it will have to implement ISO 27001 and ISO 27701 together. This strategy is recommended and makes the implementation easier and less difficult.