The LGPD – General Personal Data Protection Law came into force in August 2020 and dictates regulations on the processing of Personal Data and Sensitive Personal Data at national level, as well as the international transfer of Personal Data and Sensitive Personal Data collected in Brazil, with natural and legal persons being subject to inspection since then. Since Personal Data is related to the identified or identifiable natural person (article 5, I, of Law 13.709/2018), Sensitive Data (article 5, II, of Law 13.709/2018) is information that can be used in discriminatory manner and therefore require special protection. With regard to children's personal data, the LGPD dictates that specific consent from at least one parent or legal guardian is required (art. 14, §1).
Before we comment on the impacts of LGPD on companies, it is important to remember that the LGPD regulates any and all activities that involve the use of personal data, by physical or digital means, by natural or legal personnel, throughout the national territory or in countries where the data is located. It covers data related to the person, whether Brazilian or not, but who is in Brazil at the time of collection, in addition to data processed within the national territory, regardless of the means applied, the operator's headquarters country or the country where the data is located; data used to provide goods or services. However, the LGPD only applies to individuals or legal entities that manage data for economic purposes.
The application of the LGPD is extraterritorial, as its incidence is not restricted to people domiciled or established in Brazil. The following cases are considered: 1) if the data processing operation is carried out in the national territory and 2) if the personal data were collected in the national territory.
With the exception of cases of personal data processing excluded from the scope of the LGPD (art. 4), the law has effects on any person, natural or legal, public or private, who carries out personal data processing operations, by physical means or digital. This means that the duty of compliance must be observed by everyone who, although located outside the national territory, offers goods or services to the Brazilian consumer market or collects and processes data from people located in the country.
LGPD – PRINCIPLES AND LEGAL BASIS
The main objective of the LGPD and which directly affects the impacts of the LGPD on companies is to ensure transparency in the use of data from individuals, as its parameters are privacy and protection of personal data. It is important to understand what is considered personal data. Previously, when registering purchases, for example, individuals had to provide a series of personal data, which were often not even used for the purchase itself. However, they were later sold without authorization, when they should have been treated confidentially. With the LGPD, the data subject explicitly authorizes the disclosure of their data, and companies that ignore consent are subject to fines.
the basis of LGPD is consent, which must be received explicitly and unambiguously. It is necessary to request authorization from the data subject before processing is carried out. Non-consent must be the exception, that is, it is only possible to process data, without the citizen's authorization, when this is essential to comply with legal situations, provided for in the LGPD and/or in previous legislation, such as the Access to Information Law (LAI ).
The LGPD arrived to amend Law No. 12.965, of April 23, 2014, popularly called the Marco Civil da Internet, which regulated these transactions until then. And it is based on GDPR (General Data Protection Regulation), European regulation that uses the fundamental rights of freedom and privacy as a guide to establish rules regarding the collection and storage of personal data and its sharing.
According to the LGPD, the following principles must be observed when processing personal data: Purpose, Adequacy, Necessity, Free Access, Data Quality, Transparency, Security, Prevention, Non-Discrimination, Accountability. Faced with this new scenario, which is the entry into force of the LGPD, a major challenge arises for companies, which will have to review their data governance and privacy processes. It will be essential to carry out a mapping detailing how personal data is treated and its entire life cycle within the company, that is, where it goes, where it is stored, who has access and whether it is shared with third parties. From this analysis, it is possible to assess the maturity level of processes within the company, as well as the risks involved. Only then, with the deficiencies detected, do the procedures begin to transform the data transaction into a secure transaction, in accordance with the principles of the LGPD.
SOME IMPACTS OF THE IMPLEMENTATION OF THE LGPD
When talking about the impacts of LGPD on companies, we can start with implementation. The implementation of the LGPD had a major impact on business relationships, both commercial and consumer, which require data collection, especially in the current trend of data processing with the purpose of creating consumer profiles. Companies that collect user data must meet LGPD requirements, adapting mainly to users' express consent regarding the collection, processing of data, purpose and eventual transfer of their data to third parties.
Labor relations have also undergone significant changes, as the employer holds personal information about its employees. Although the LGPD authorizes companies to use the personal data of their employees and service providers (art. 7, V and IX) for the legitimate execution of contracts, for the benefit of the worker himself, attention and caution are necessary to the LGPD rules in all its phases. In cases of outsourcing services, it is also necessary to obtain the employee's written consent before processing their data, especially before transmitting them to third parties. In addition to employee consent, it is also recommended that companies create specific obligations in their commercial contracts, in accordance with the requirements imposed by the LGPD on data processing.
Data holders may rectify, cancel or even request deletion at any time. A LGPD gives consumers control over their data and also the possibility of punishing those responsible for any damage caused by the misuse of their information.
ANDP (National Data Protection Authority), created from the MP 869 / 18, is the body responsible for monitoring data protection by legal entities and may request companies, at any time, to provide information through privacy risk reports to ensure that they are following the regulations established by the LGPD.
SOME LEGAL ASPECTS ABOUT SENSITIVE DATA IN LGPD
In the scenario of the impacts of the LGPD on companies, it is important to define the types of data, in order to exercise its effective protection. Within the law, personal data is subdivided into anonymous and sensitive, allowing the holder affected by misconduct to appeal to the judicial system.
Sensitive data in the context of the LGPD is understood as personal data related to racial, ethnic origin, political orientation, sexual orientation, religious convictions, genetic data, medical history, among others that have a clear potential for social discrimination and therefore deserve legal protection. In other words, sensitive data are those that can trigger discriminatory acts against the holder, giving them maximum legislative protection.
In accordance with Art. 11, items I and II of the LGPD, the processing of this data can only be carried out when:
I – the holder or his/her legal guardian consents, in a specific and prominent manner, for specific purposes;
II – without providing consent from the holder, in cases where it is essential for: a) compliance with a legal or regulatory obligation by the controller; b) shared processing of data necessary for the execution, by the public administration, of public policies provided for in laws or regulations; c) carrying out studies by a research body, guaranteeing, whenever possible, the anonymization of sensitive personal data; d) regular exercise of rights, including in contract and in judicial, administrative and arbitration proceedings, the latter in accordance with the terms of Law No. 9.307, of September 23, 1996 (Arbitration Law); e) protection of the life or physical safety of the holder or third party; f) health protection, exclusively, in procedures carried out by health professionals, health services or health authorities; g) guarantee of fraud prevention and security of the holder, in the processes of identification and authentication of registration in electronic systems, safeguarding the rights mentioned in art. 9th of this Law and except in the case where fundamental rights and freedoms of the holder prevail that require the protection of personal data.
In relation to minor holders, the processing of sensitive data must contain express authorization from a parent or legal guardian. However, Art. 11 of the LGPD also dictates an exception to consent in urgent or emergency cases.
SOME IMPACTS OF LGPD ON HUMAN RESOURCES
Also in Human Resources, the impacts of the LGPD on companies were observed, as with the acceleration of digitalization in various business sectors, including HR, many companies are impacted by the LGPD. One of the bases of the Human Resources department's work routine is the data of the company's employees, which is used for various purposes, such as monitoring the organizational climate, career and management plans. Adapted to the LGPD, some impacts on HR were predicted, since for this management to be carried out, it is essential that professionals in the area access personal data of employees.
Human Resources Departments that were already working with process computerization quickly sought to meet the new requirements of the LGPD, adapting their data collection, processing and storage processes, in accordance with the rules set out in the law.
There is a large concentration of information collected daily in HR management processes, whether in hiring, dismissals and internal processes. Professional history, salary levels, contact information, identification documents, working hours. In addition to this important information, HR professionals also have access to data considered sensitive by the LGPD, such as medical records, family information, address, date of birth, dependents, among others. Data that, if not stored securely, can be stolen by hackers. To this end, it is essential that companies exercise maximum caution with the processes involving the processing of this data, thus ensuring the security of employees' information and meeting the requirements of the LGPD.
Although companies are authorized by the LGPD to use employees' personal data for management processes, these processes must be adequate to avoid sanctions. One of the adjustments requires the employee to sign a declaration of consent, indicating the purpose of the data collected, which is limited to information essential for the company's activities, and for how long it will be stored at the company. Therefore, it is necessary to assess the real need to request sensitive information such as gender, marital status, sexual orientation, among other information irrelevant to the activity that will be carried out.
The LGPD directly changes the routine of organizations, especially the HR sector that deals with employee data in their daily practices, hence the importance of knowledge and understanding of the impacts of the LGPD on HR, as well as adapting to the new imposed scenario by law.
In summary, the impacts of the LGPD on companies are already seen and proven, requiring changes in policies, processes, technologies and organizational culture to ensure adequate protection of personal data and compliance with the law. Review and adaptation of privacy policies, changes in data collection and consent processes, investments in information security, impact on contractual relationships and changes in organizational culture are some of the aspects that require the most attention when complying with the LGPD.
Please contact TATICCA Allinial Global Brazil, which has a qualified and experienced multidisciplinary team, tools and methodology to implement the LGPD in an objective and assertive way, with: guidance and training, diagnosis, analysis of employee contracts, analysis of supplier contracts, analysis of internal policies, analysis of contracts provision of services or sales of products, adaptation of contracts in compliance with the LGPD, data mapping, implementation of the service channel, preparation of a privacy policy, pre-formatted documentation with all LGPD requirements.