On August 14th, 2018, the General Data Protection Regulation (GDPR) was sanctioned – Law No. 13.709 -, and it will come into effect in August 2020. Its main objective is the transparency regarding personal data usage, that is, guaranteeing more control and privacy of the legal and natural persons´ personal data. Also, the law creates clear rules about how to collect, store and share those data.
The GDPR has as its foundation the European regulation approved in May 2018, which uses the fundamental rights of liberty and privacy to establish rules about collecting and storing personal data. It also anticipates hypotheses that legalize data handling, when the explicit consent of the titular is necessary, and they must be clearly informed on how their data will be handled, granting the authorization for that.
Regarding the company, it will only be allowed to collect some kinds of data with the titular´s authorization, and such authorization must be explicit and validated. In case of children´s and adolescents´s personal data, there must be a special attention, and it will also be necessary to have the parents´s authorization for the data collecting.
It´s important to highlight that the data owners will be able, at any time, to rectify, cancel or ask the exclusion of those data from the company´s database.
Companies must adapt to the new demands brought by the GDPR, creating an Information Security Committee to be responsible for analyzing the current situation of internal procedures regarding the data received, making a mapping of data handling and its entire cycle and storage inside the company.
It means that companies must guarantee the safety of the handled personal data and, in case of incidents, companies must communicate with the regulatory agency, the National Agency of Data Protection, and the data owner, and such communication is responsibility of the DPO – data protection officer, or someone else in charge of the data.
Finally, we have to highlight that the GDPR establishes administrative sanctions in article 52 that will be applied to the handling agents in case there is a violation of law. They have a retributive nature because they attribute to the offender a sanction due to the action carried out, avoiding new illegal acts to be practiced.
Now, less than a year before the law comes into effect, the companies need to adapt to the changes brought by the GDPR in order to avoid future sanctions executed by the National Agency of Data Protection.
Patrícia Costa de Carvalho Cosentino, Lawyer at Almeida Prado & Hoffmann Advogados Associados office.