Brazilian General Data Protection Law (LGPD)

Share on facebook
Share on google
Share on twitter
Share on linkedin

LGPD Information Series

#1: LGPD BASICS

 

What is the LGPD and how will it impact background screening services receive from First Advantage?

What is the LGPD?

Brazil recently enacted its own omnibus law governing the use of personal data, the Lei Geral de Proteção de Dados (LGPD), or General Law for the Protection of Privacy. The LGPD is intended to regulate the processing of personal data to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”

When will LGPD take effect?

After delays, the LGPD took effect August 27, 2020; enforcement of the LGPD’s penalties and sanctions provisions will not officially take effect until August 1, 2021. First Advantage is compliant with the LGPD, based on available guidance, and will be tracking monitoring developments of the LGPD as they evolve and sharing additional information with our clients as it becomes available.

To whom does LGPD apply?

With some exceptions, the LGPD applies to any natural person or legal entity that processes the personal data of the people of Brazil, even if the entity processing the data is based outside of Brazil. The LGPD applies to organizations if: the processing is carried out in Brazil (the data subject is in the Brazilian territory at the time of the collection); the purpose of the processing activity is to offer goods or services to individuals located in Brazil; and/or the processed personal data was collected in Brazil.

What is Personal Data and how can it be processed?

Personal data in this statute is defined broadly as “information regarding an identified or identifiable natural person.” There are also special restrictions for the processing of “sensitive personal data,” which is data that relates to racial or ethnic origin, religious beliefs, political opinion, affiliation to unions or political, philosophical or religious organizations, health information, sexual preference, or genetic and biometric data.

What will LGPD require in the context of background screening?

The LGPD is similar to the EU’s General Data Protection Regulation (GDPR) in a number of areas, including distinguishing between controller and processor. In the context of background screening, First Advantage is a processor acting under the instructions of its controller client.

Compliance with the LGPD requires that the controller has a legal basis to direct processors to process personal data. These legal bases for processing personal data largely align to the GDPR. For the purposes of background screening, legitimate interests (to fulfill the legitimate interests of the controller or a third party, except in the case of prevailing the fundamental rights and freedoms of the data subject) is likely to be the most useful, rather than consent. There are no specific rules addressing employment and consent as a bases for processing in the LGPD itself (personal data relating to an employee is treated by the law in the same way as other personal data) and therefore, in principle, it might be possible to validly obtain consent in an employment context; but it is possible (and maybe likely) that the newly created Brazilian National Data Protection Authority (ANPD) will ultimately adopt a position similar to the GDPR — that consent is not valid in the employment context because of the power imbalance and the impossibility of freely given consent in an employment relationship. If the controller uses the legitimate interests ground, the controller should keep a record of the actual legitimate interests pursued by it as controller (or by a third party).

When processing is based on the controller’s legitimate interest, only the personal data which is strictly necessary for the intended purpose may be processed. The controller should adopt measures to ensure transparency of data processing based on its legitimate interests. Of note, the LGPD provides that national authority may request of the controller an impact report on protection of personal data when processing is based on legitimate interests.

Does LGPD require a privacy notice?

As in the GDPR, the LGPD requires certain information be imparted by controller to data subjects prior to processing (a privacy notice). Best guidance at this point (which is subject to change once the ANPD begins promulgating rules) is that such privacy notice should contain:

  • the specific purpose of the processing;
  • the type and duration of the processing;
  • the legal basis for the processing
  • identification of the controller;
  • the controller’s contact information;
  • information regarding the shared use of data by the controller and the purpose;
  • responsibilities of the agents that will carry out the processing; and
  • the data subject’s rights, such as the right to access, rectification, erasure, data portability, etc., with explicit mention of the rights provided in Art. 18 of the GDPL.

To best comply with privacy principles, the controller might consider also including the following types of information:

  • information regarding data transfers to third countries, where applicable, and reference to appropriate or suitable safeguards;
  • the existence of the right to withdraw consent if processing is based on consent;
  • the right to lodge a complaint with a supervisory authority;
  • if applicable, information regarding automated decision making, including profiling.

What rights does LGPD provide for Data Subjects?

The LGPD sets out nine fundamental rights granted to all Brazilian data subjects that are similar to the eight fundamental rights laid out in the GDPR:

  • confirmation of the existence of processing;
  • access to data;
  • correction of incomplete, inaccurate, or outdated data;
  • anonymization, blocking, or elimination of unnecessary or excessive data or of data processed in noncompliance with the provisions of the LGPD;
  • portability of the data to other service providers or suppliers of products, at the data subject’s express request, according to the ANPD, and observing the protection of business and industrial secrets in the process;
  • elimination of the personal data processed with the consent of the data subjects, except in the cases set forth in Article 16 of the LGPD;
  • information on the public and private entities with which the controller has shared data;
  • information on the possibility of not providing consent and on the consequences of such denial;
  • revocation of the consent, pursuant to the provisions of paragraph 5 of Article 8 of the LGPD; and
  • reviewing decisions based on the processing of personal data carried out exclusively by automated means.

LGPD separates the right to be informed into the right to “information about the public and private entities with which the controller has shared data” and “information about the possibility of denying consent and the consequences of such denial.” This gives the data subject not only a right to request information the organization collects about the data subject, but also the right to ask about what will happen if the data subject does not give the controller consent to process his or her personal data. Data subjects are also entitled to an explanation about any automated decision-making carried out by the controller that affects their interests. When a data subject requests a review, the controller must provide “clear and adequate information regarding the criteria and procedures used for an automated decision.”

What about appointment of a DPO?

The LGPD indicates that a DPO must be appointed by controllers. However, the ANPD will have further rule-making authority over this obligation, and could in the future exempt controllers from appointing a DPO according to the nature and the size of the entity or the volume of data processing operations.

And what about transfer of personal information out of Brazil?

Also, while the LGPD indicates transfer mechanisms to ‘inadequate’ regions analogous to standard contractual clauses (SCCs), the ANPD has not yet promulgated language around their use, or guidance around which regions might be adequate, or what alternatives might be available.

About First Advantage

First Advantage provides comprehensive background screening, identity and information solutions that give employers access to actionable information that results in faster, more accurate people decisions. With an advanced global technology platform and superior customer service delivered by experts who understand local markets, First Advantage helps customers around the world build fully scalable, configurable screening programs that meet their unique needs. Headquartered in Atlanta, Georgia, First Advantage has offices throughout North America, the United Kingdom, Asia and the Middle East.

Information Content Notice

Although the foregoing has been authored by the First Advantage Global Legal Compliance Team, we are not authorized to provide your organization with legal advice because First Advantage is not a law firm. The foregoing information is rather provided in a spirit of partnership as helpful information on the possible impacts associated with LGPD.

Current as of September 2020
© 2020 First Advantage Corporation