General Personal Data Protection Law
On August 14, 2018, Law 13.709/2018 was enacted in Brazil, regulating the processing of personal data, both by the public authorities and by the private sector. The Law became known as LGPD, the General Data Protection Law, and aims to strengthen the protection of personal data in Brazil.
Scope of the Law
The Law shall apply to any processing operation carried out by a natural person or legal entity under public or private law, regardless of the means, the country of its headquarters or the country where the data are located, provided that the processing operation is carried out in the national territory; the processing activity aims to offer or provide goods or services or to process data of individuals located in the national territory or the personal data subject to the processing were collected in the national territory[1].
The concept of personal data for Brazilian law
Brazilian law defines personal data in three types:
- Personal data: information related to an identified or identifiable natural person.
- Sensitive personal data: personal data about racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or organization of a religious, philosophical or political nature, data related to health or sexual life, genetic or biometric data, when linked to a natural person.
- Anonymized data: data related to a data subject that cannot be identified, considering the use of reasonable and available technical means at the time of its processing[2].
The concept of data subject
In turn, the holder of personal data is understood as the natural person to whom the personal data that are subject to processing refer[3]. Therefore, contrary to this, the Law does not apply to the protection of data of legal entities.
The concept of personal data processing for Brazilian law
The concept of personal data processing for Brazilian law is defined within the General Personal Data Protection Law, because Art. 5, item X of the Law understands that processing is "any operation carried out with personal data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction"[4].
References
.
ICANNWiki resources: Content Guide | Documentation | Development || Maintenance: Articles needing attention | Candidates for deletion || Projects: Internet & Digital Governance Library