This legislation follows the global trend of enacting national data protection laws or strengthening existing ones in order to regulate the processing of personal data.
The processing of personal data includes any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.
The previous legal framework in Brazil contained general data protection rules in various regulations; however, there was no specific law for the processing of personal data.
The new legislation brings complex rules, containing numerous references to concepts also found in the recent European data protection legislation (GDPR), which came into force in May 2018.
Both public authorities and private companies will be affected by the new rules and the liability will be joint and several, that is, if a company in the chain fails to comply with the rules, all may be punished, and among the sanctions provided for are daily fines of up to 2% (two percent) of the company's revenue, limited in total to BRL50.000.000,00 (fifty million reais) per violation.
The new law will require users' explicit consent for the collection and use of their personal data, whether by public authorities or private companies. Furthermore, users must have the option to view, correct, and delete such data.
It should be noted that these factors are also linked to employment contracts. This is because, with the enactment of the General Data Protection Law, it became mandatory to include clear and specific contractual clauses on this subject, including regarding international data transfers.
In view of this, companies must take special care when drafting employment contracts to include provisions on the exact reasons for collecting and using the required data and, especially, regarding the data subject's authorization and consent for the use of their data.
The legislation will be applicable even to companies headquartered abroad, provided that the processing of personal data is carried out in national territory, the activity aims to offer or provide goods or services or the processing of data of individuals located in national territory or the personal data subject to the processing have been collected in Brazil.
Furthermore, depending on the size of the company, it will be mandatory to indicate an individual who will act as a communication channel between the company, the data subject and the national authority.
In this regard, it is important to emphasize that the General Data Protection Law only establishes the duties that will be the responsibility of this individual, without mentioning anything about the obligation to be an employee or even requiring specific credentials to provide this service.
Among the specifications brought by the new law, there is the existence of sensitive personal data, which are related to specific information about the data subject, such as racial origin, religious beliefs and union membership.
Considering the changes brought about by Law No. 13.467/17 (Brazilian Labor Reform) and given that union membership is directly linked to labor issues, special care must be taken when collecting and disseminating data related to the subject, especially regarding the discount of union dues.
Data collected by companies may be stored for their exclusive use, with access by third parties prohibited, and provided that it is anonymized, to comply with legal or regulatory obligations and other situations provided for by law. Except for legal exceptions, all data must be deleted upon termination of the employment contract.
The obligations established by the General Data Protection Law will become enforceable 18 months from the date of its publication, that is, from February 15, 2020, a period that companies and public entities will have to adapt to the new rules.
