On 10th July 2018, proposed House of Representatives Bill of Law No. 53/2018 was approved in the Senate, which, after presidential sanction and publication in the Official Gazette, became the General Data Protection Law in Brazil.
Such legislation follows the global trend towards enacting national data protection laws or strengthening existing laws to regulate the processing of personal data.
Processing of personal data compromises all operations performed with personal data, such as collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, filing, storage, elimination, evaluation, control, modification, communication, transfer, diffusion or extraction of data or information.
The former Brazilian legal framework contemplated general data protection rules in a number of norms, however, there was no specific law for the processing of personal data.
The new legislation introduces complex rules, containing numerous references to concepts also found in the recent European data protection regulation (GDPR), which became effective in May 2018.
Both public authorities and private companies will be affected by the new rules and liability shall be joint and several, which means that, if a company in the chain fails to comply with the rules, all players may be punished and among the penalties provided are daily fines of up to 2% (two percent) of the company’s turnover, limited in total to BRL50,000,000.00 (fifty million reais) per infraction.
The new law will require users’ express consent to collect and use their personal data, either by public authorities or private companies. Further, the user must have options to view, correct, and delete such data.
It should be noted that such requirements also impact employment contracts, since the General Data Protection Law now makes it mandatory for such contract to contain direct and specific clauses on the subject, even regarding international data transfers.
In the light of the foregoing, companies should take care when drafting employment agreements, ensuring that they accurately contain the reasons for collecting and using the data and, especially, confirm the data subject´s express consent to use the data.
The General Data Protection Law will be applied even to companies headquartered abroad, provided that the processing of personal data is conducted in Brazil, the activity has the purpose of offering or providing goods or services or the data processing of individuals located in Brazil or the personal data being processed was collected in Brazil.
Moreover, depending on the size of the company, the designation of a person responsible for acting as a communication channel among the company, the user and the national authority, will be mandatory.
In this regard, it is important to emphasize that the General Data Protection Law only sets out such person´s role and does not demand that he/she be an employee, not mentioning the obligation of designating an employee for that purpose or even requiring specific credentials for rendering the service.
Among the specifications introduced by the new law, attention must be drawn to sensitive personal data, which relates to the user´s racial origin, orientation and Union affiliation.
Having regard the legislative changes introduced by Law no 13.467/17 (Brazilian Labour Law Reform) and that Union affiliation relates directly to employment issues, special attention should be taken when collecting and disclosing data related to such matter, especially regarding the deduction of Union affiliation payments.
The data acquired by companies should be maintained only for their exclusive use and must remain anonymous. Third party access is forbidden. The data can also be maintained for compliance with legal or regulatory obligations, among others situations contemplated by law. In any other situation all data must be deleted at termination of employment agreement
The obligations established by the General Data Protection Law will become effective 18 months as from the date of its publication, i.e., as from 15th February 2020, which is the deadline established for companies and public entities to adapt to the new rules.