ILN Data Privacy Paper

ILN DATA PRIVACY GUIDE 2024 An International Guide

www.iln.com ILN Cybersecurity & Data Privacy Group and ILN Technology Media & Telecommunications Group

Disclaimer This guide offers an overview of legal aspects of data protection in the requisite jurisdictions. It is meant as an introduction to these marketplaces and does not offer specific legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship, or its equivalent in the requisite jurisdiction. Neither the International Lawyers Network or its employees, nor any of the contributing law firms or their partners or employees accepts any liability for anything contained in this guide or to any reader who relies on its content. Before concrete actions or decisions are taken, the reader should seek specific legal advice. The contributing member firms of the International Lawyers Network can advise in relation to questions regarding this guide in their respective jurisdictions and look forward to assisting. Please do not, however, share any confidential information with a member firm without first contacting that firm.

This guide describes the law in force in the requisite jurisdictions at the dates of preparation. This may have been some time ago and the reader should bear in mind that statutes, regulations, and rules are subject to change. No duty to update information is assumed by the ILN, its member firms, or the authors of this guide. The information in this guide may be considered legal advertising. Each contributing law firm is the owner of the copyright in its contribution. All rights reserved.

www.iln.com

About the ILN The ILN is a non-exclusive network of high-quality mid-sized law firms, which operates to create a global platform for the provision of legal services, particularly for clients with international needs. With a presence in 67 countries, it is exceptionally well placed to offer seamless legal services, often of a cross-border nature from like-minded and quality legal practices. In 2021, the ILN was

honored as Global Law Firm Network of the Year by The Lawyer European Awards, and in 2016, 2017, 2022, and 2023 they were shortlisted as Global Law Firm Network of the Year. Since 2011, the Network has been listed as a Chambers & Partners Leading Law Firm Network, increasing this ranking in 2021 to be included in the top two percent of law firm networks globally. Today, the ILN remains at the very forefront of legal networks in its reach, capability, and depth of expertise.

Authors of this guide: 1.

Cybersecurity & Data Privacy Group

Co-chaired by Jim Giszczak of McDonald Hopkins and Stuart Gerson of Epstein Becker & Green, the Cybersecurity & Data Privacy Specialty Group provides an international platform for enhanced communication, enabling all of its members to easily service the needs of their clients requiring advice.

2.

Technology, Media & Telecom (TMT)

Co-chaired by Alishan Naqvee of LexCounsel in New Delhi and Gaurav Bhalla of Ahlawat & Associates in New Delhi the TMT Group provides a platform for communication on current legal issues, best practices, and trends in technology, media & telecom. www.iln.com

Table of Contents

Argentina...........................................................................................................................................................................5 Brazil.....................................................................................................................................................................................13 Canada.............................................................................................................................................................................25 Czech Republic............................................................................................................................................................38 India.....................................................................................................................................................................................49 Portugal.............................................................................................................................................................................60 Romania............................................................................................................................................................................81 Spain...................................................................................................................................................................................93 Ukraine.............................................................................................................................................................................104 USA - Illinois...................................................................................................................................................................115 USA - Ohio......................................................................................................................................................................125

Argentina

Argentina In Argentina, data protection is governed by comprehensive legislation aimed at safeguarding individuals' personal data. Below you will find an outline of the key aspects including governing legislation, exploring their scope of application, requirements for data processing, rights and duties of data providers/principals, processing of children's data, regulatory authorities, and consequences of non-compliance. 1.1. Overview of Principal Legislation Data protection in Argentina is primarily regulated by the right to Habeas Data. This right can be found on Art. 43 of the Argentine Constitution of 1994. Although this right is enshrined in the Constitution, the implementation of protection to the personal data is regulated by the Governing Data Protection Legislation

Personal Data Protection Law No. 25,326 (“Ley de Protección de Datos Personales”, hereinafter “PDPL”), enacted in 2000. The PDPL is the cornerstone of Argentina's data protection regime. It aims to strike a balance between the free flow of information and individuals' right to privacy. This legislation imposes strict obligations on data controllers and data processors while affording data subjects various rights. This legislation establishes the fundamental principles and requirements for the processing of personal data in the country. It aligns with international data protection standards and provides a strong legal framework for data protection 1.2 Additional or Ancillary Regulation, Directives, or Norms Complementing the principal legislation, several regulations and guidelines further detail data protection requirements. Notably, the Argentine Data Protection Authority (“Agencia de Acceso a la Información Pública”, hereinafter “AAIP”), the regulatory body responsible for enforcing data protection laws in Argentina, issues resolutions and guidelines to clarify specific aspects of data protection, ensuring consistent compliance across various sectors and industries

Contact Us +54 11 5278 5280

https://syls.com.ar/ jmca@syls.com.ar Arroyo 880, 2º Piso Buenos Aires, C1007AAB Argentina

Argentina

and providing further clarity of the PDPL, especially with newer technologies. These directives help organizations understand their obligations and best practices regarding data protection. Scope of Application 2.1 Legislative Scope 2.1.1.Definition of Personal Data The PDPL has a broad scope of application, covering the processing of personal data within the country's borders. The PDPL discriminates on article 2 the different type of personal data that can be found and defines each one of them. Broadly, personal data is defined as encompassing any information that

allows the identification of an individual or makes them identifiable. This definition includes both direct and indirect identification criteria. Some of the law's definition of personal data encompasses a wide range of information, including but not limited to names, identification numbers, addresses, and even electronic identifiers. 2.1.2 Definition of Different Categories of Personal Data PDPL recognizes various categories of personal data, acknowledging that sensitive data, such as health records or biometric information, require special protection. Sensitive data, pertains to personal information that discloses details such as racial or ethnic origin, political beliefs, religious or

https://syls.com.ar/

Argentina

philosophical moral convictions, union memberships, or data concerning one's health or sexual life. The terms 'file,' 'record,' 'database,' or 'data bank' are used interchangeably to describe affiliations, organized sets of personal data subject to processing, whether electronically or otherwise, regardless of how they are created, stored, organized, or accessed. 2.1.3. Treatment of Data and Its Different Categories The PDPL regulates the processing of both personal and non-personal data, ensuring that the principles of data protection apply universally. Additionally, it outlines key definitions crucial for data processing, ensuring clarity and consistency. Data processing refers to systematic operations and procedures, electronic or not, involved in collecting, preserving, ordering, storing, modifying, correlating, evaluating, blocking, destroying, or generally managing personal data, including their transfer to third parties through various means. Regarding this definition, it addresses electronic and non-electronic data, adapting to evolving technological landscapes. 2.1.4. Other Key Definitions Pertaining to Data and Its Processing The legislation provides key definitions related to data processing, such as data controller and data processor, ensuring clarity in roles and responsibilities within data processing activities. Computerized data pertains to personal information subjected to

electronic or automated processing. Data disassociation involves processing personal data in a manner that renders the information obtained incapable of being linked to a specific or identifiable individual. Statutory Exemptions The PDPL allows for exemptions in specific situations, such as when data processing is required by law or necessary for the performance of a contract such as data processed for journalistic, artistic, or literary purposes, domestic activities or used for public security or defense. These exemptions must align with the PDPL's overarching principles and respect individuals' rights.

https://syls.com.ar/

Argentina

3.1. Territorial and Extra-Territorial Application The PDPL applies within Argentina's territory and extends to data processing activities that have an extraterritorial impact when data controllers or processors outside Argentina process the personal data of Argentine residents. 4.1. Key Stakeholders Data Controller: Individual or legal entity, whether public or private, who is the owner of a file, record, database, or data bank. Data Processor : Entities or individuals that process data on behalf of the data controller. Data Subject: The individual to whom the personal data belongs and is being processed. 4.2 Role and Responsibilities of Key Stakeholders The PDPL assigns specific responsibilities to each stakeholder, emphasizing the data controller's duty to inform data subjects, obtain consent, and ensure data security. Data Controllers in Argentina must ensure compliance with the PDPPL, obtain explicit consent for data processing, and protect data subjects' rights. They are responsible for notifying data subjects about the purpose and scope of data processing. Moreover, they must register with the AAIP as data controllers as well as any database containing personal data, whether public or private. Legislative Framework

Data Processors are required to process data strictly in accordance with the instructions provided by the Data Controller. They must also implement robust data security measures to protect the data they handle. Data subjects in Argentina have various rights, including the right to access their data, rectify inaccuracies, and request data erasure when necessary. Requirements for Data Processing 5.1. Grounds for Collection and Processing Data processing must be based on lawful grounds, including consent, contractual necessity, legal obligations, vital interests, or legitimate interests pursued by the data controller. Data processing often requires the explicit and informed consent of the data subject. Consent notices should clearly outline the purpose of data processing, and data subjects have the right to withdraw their consent at any time. Consent is a fundamental requirement, and individuals have the right to withdraw it at any time. 5.2. Data Storage and Retention Timelines The PDPL requires data controllers to establish retention periods that align with the purpose of data processing. Data storage and retention timelines are defined in accordance with the purpose for which the data was

https://syls.com.ar/

Argentina

collected. Argentina's regulations specify maximum periods for data retention and the conditions under which data can be retained. 5.3. Data Correction, Completion, Update, or Erasure of Data Individuals have the right to request corrections or erasure of inaccurate or outdated data concerning them. Data controllers are obligated to respond to such requests promptly. 5.4. Data Protection and Security Practices and Procedures Data protection and security practices are of paramount importance. Data controllers and processors are required to implement security measures to

protect from unauthorized access, disclosure, alteration, or destruction. Some examples of these security measures are encryption, access controls, and regular audits to protect personal data from breaches. These personal data measures must be commensurate with the sensitivity of the data being processed. 5.5 Disclosure, Sharing, and Transfer of Data Transfers of personal data to third parties require data subject consent or a legal basis. Cross-border data transfers

https://syls.com.ar/

Argentina

must adhere to data protection regulations and, in certain cases, require authorization from the AAIP, as further discussed below. 5.6. Cross-Border Transfer of Data Cross-border data transfers are subject to specific rules and safeguards, which are in line with international data protection standards. On January 15, 2024, the European Commission ("Commission") published its findings regarding the first review of adequacy decisions made under Article 25(6) of Directive 95/46/EC ("Directive") in 1995. In these decisions, the Commission had determined that eleven countries or territories, including Argentina, ensured an adequate level of personal data protection, allowing for the free transfer of data from the European Union (EU) to these countries or territories. With the entry into force of the EU General Data Protection Regulation (GDPR) in 2018, it was established that adequacy decisions made under the Directive would remain in effect but would be subject to review every four years. In this first review, the Commission found that the data protection frameworks in the countries and territories under review had evolved, including through legislative reforms and regulations by data protection the importance of the independence of the AAIP as the supervisory authority and the ratification of Convention 108+ in 2023. Additionally, it noted authorities Regarding Commission Argentina, emphasized the

that a draft Data Protection Bill introduced in Congress and still subject to review could further strengthen the data protection framework in the country. As a result of its findings, the European Commission concluded that personal data transferred from the European Union to Argentina benefits from adequate protection guarantees. Consequently, such data can continue to flow freely from the EU to Argentina, maintaining the country's position at the forefront of personal data protection and facilitating greater efficiency and security in international operations. 5.7. Grievance Redressal The PDPL mandates the establishment of grievance redressal mechanisms, enabling data subjects to exercise their rights and seek remedies in cases of non- compliance. Rights and Duties of Data Providers/Principals 6.1. Rights and Remedies Right to Withdraw Consent : Individuals have the right to withdraw their consent for data processing at any time. Right to Grievance Redressal and Appeal: Data subjects can file complaints with the Data Protection Authority and seek judicial remedies.

https://syls.com.ar/

Argentina

8.1. Overview of Relevant Statutory Authorities The AAIP is the regulatory authority responsible for enforcing the PDPL, and has the power to issue resolutions and guidelines to clarify specific aspects of data protection and keep the data protection regulation updated to upcoming technologies. 8.2. Role, Functions, and Powers of Authorities The AAIP plays a crucial role in overseeing compliance with data protection regulations. It is tasked with monitoring compliance, investigating data breaches, and issuing penalties for violations. 8.3. Role, Functions, and Powers of Civil/Criminal Courts in the Field of Data Regulation Civil and criminal courts can be involved in data protection cases, particularly when individuals seek The PDPL places special emphasis on protecting the data of children and minors, requiring parental consent for data processing activities involving minors. Processing of Children or Minors' Data Regulatory Authorities

Right to Access Information (Habeas Data): Art. 43 of the Argentine Constitution grants individuals the right to access, update, or delete personal data held about them. Right to Nominate: Individuals can nominate a representative to exercise their data protection rights. 6.2. Duties Data controllers and processors are duty-bound to provide accurate information, report changes and respect the rights and privacy of others in accordance with Argentina's data protection regulations.

https://syls.com.ar/

Argentina

9.2. Consequences and Penalties for Other Violations and Non- Compliance Violations of other provisions of data protection laws may also lead to penalties, depending on the severity of the violation.

legal remedies for data breaches or non-compliance with data protection laws. 9.1. Consequences and Penalties for Data Breach Data controllers and processors in Argentina face significant penalties and consequences for data breaches, including fines and mandatory notifications to affected data subjects. Non-compliance with data protection laws, including data breaches, can result in severe penalties, including fines, suspension of data processing activities, or data controller disqualification. The PDPL modifies some of Argentina’s criminal laws (article 117 bis and 157 bis of National Penal Code) to include cases in which data controllers and processors are punished for Data breaches and Non-Compliance. Consequences of Non-Compliance

Contact Us +54 11 5278 5280

https://syls.com.ar/ jmca@syls.com.ar Arroyo 880, 2º Piso Buenos Aires, C1007AAB Argentina

Brazil

Brazil The Brazilian General Data Protection Law (“LGPD”), enacted in 2018 and enforced since 2020, serves as the cornerstone of the country's data protection framework. Its primary objective is to ensure the fundamental rights of data subjects and regulate how personal data is processed by processing agents. The LGPD outlines the rights and obligations of data controllers and processors, establishes enforcement mechanisms through sanctions and inspections, and fosters overall governance of data processing activities. Before the LGPD, data protection and privacy rights were governed by a patchwork of sector-specific laws covering areas like consumer rights, finance, healthcare, the public sector, and criminal law. Additionally, the Civil Rights Framework for the Introduction

Internet (“Marco Civil da Internet”), enacted in 2014 with its accompanying decree, laid the groundwork for processing personal data online. Governing Data Protection Legislation 2.1.Overview of principal legislation The LGPD, Federal Law No. 13,709/2018, aims to safeguard the fundamental rights of freedom and privacy, fostering the personal development of individuals. It represents a major regulatory advancement, aligning Brazil's data protection legislation with international standards. Signed by the President on August 14, 2018, published on August 15, 2018, and taking effect on September 18, 2020, the LGPD marked a significant shift in how personal data is treated in Brazil. Further emphasizing this importance, the protection of personal data was expressly recognized as a fundamental right in Brazil's Federal Constitution (Article 5, LXXIX) in 2022. This inclusion highlights the high level of protection and priority assigned to safeguarding personal data within the country.

Contact Us

+55 (11) 3799-8100 https://klalaw.com.br/en/home/ accesar@klalaw.com.br Av. Brigadeiro Faria Lima, 1355 São Paulo, SP 01452-919 Brazil

Brazil

2.2. Additional or ancillary regulation, directives or norms A key provision of the LGPD is the establishment of the Brazilian Data Protection Authority (“ANPD”). Beyond its main role in overseeing data processing and legislation adherence, the ANPD also offers comprehensive guidance and clarification on complex and important issues encountered by data controllers in their operations. The ANPD has issued several regulations to enhance clarity and compliance within the LGPD framework, including the Regulation of the Inspection and Administrative Sanctioning Processes, specific to the ANPD's role and authority. The Authority has also issued regulations for applying the LGPD to small-scale data controllers and on the application of penalties, among others. Scope of Application 3.1. Legislative Scope The LGPD applies to any personal data processing activity carried out by individuals or legal entities, whether private or public. This applies regardless of the processing method (online or offline), the company's headquarters location, or the data's location, provided that: (i) the processing is performed in national territory; (ii) the processing activity has the purpose of offering or providing goods or services to individuals located in the national territory; (iii) the processing activities have, as purpose, the processing of data from individuals located in the

national territory; or (iv) when the personal data has been collected in the national territory. The country in which the processing agents were incorporated or have head offices, the nationality and place of residence of the data subjects and the country where the data is located are all elements that are considered irrelevant to the assessment of whether the LGPD shall apply to a given processing activity. 3.1.1. Definition of personal data Personal data is defined as any information related to an identified or identifiable natural person. Under the LGPD, personal data encompasses not only directly identifying information, such as names, and identification numbers, but also information that, when combined or utilized in conjunction, enables the identification of an individual. 3.1.2. Definition of different categories of personal data Sensitive personal data is classified as any personal information related to an individual's racial or ethnic origin, religious beliefs, political opinions, membership in trade unions, or religious, philosophical, or political organizations, as well as data concerning health, sexual life, and genetic or biometric details. The processing of these categories of personal data poses significant risks

https://klalaw.com.br/en/home/

Brazil

to an individual's fundamental rights and freedoms, necessitating a higher standard of protection under the Law. Anonymized data refers to information about a data subject that cannot be identified, considering the use of reasonable technical means available at the time of processing. The anonymized data falls outside the scope of the Law. 3.1.3. Processing of personal data and its different categories The LGPD mandates that the processing of personal or sensitive personal data must follow the legal bases established for each category of data, as detailed in Articles 7 and 11. Information on the legal bases can be found in Section 5.1 of this Guideline. 3.2. Statutory exemptions The LGPD and its regulations are designed to govern the processing of personal data about identified or identifiable natural persons. Consequently, data exclusively associated with legal entities (for example, The Brazilian National Registry of Legal Entities), falls outside the purview of the legislation. Furthermore, the LGPD does not apply to data processing that is conducted by natural persons solely for personal, non-commercial purposes, or data processed exclusively for journalistic, artistic, public security, national defense, state security, or in activities

connected with the investigation and repression of crimes. Additionally, data originating from outside Brazil that is not subject to communication or shared use with Brazilian processing agents is also exempt from the scope of the LGPD. 3.3.Territorial and extra-territorial application Article 3 of the LGPD states that any processing activity conducted by a natural person, or a legal entity is subject to the law, irrespective of where the entity is located or where the data resides. This applies if the activity meets any of the following conditions: (i) the processing occurs in Brazil; (ii) the processing aims to offer goods or services or involves handling personal data of individuals in Brazil; or (iii) the personal data being processed was collected in Brazil. Consequently, due to the extraterritorial application of the LGPD, factors such as the country of incorporation or location of the processing agents' head offices, the nationality and residence of the data subjects, and the location of the data are deemed irrelevant in determining whether the LGPD applies to a specific personal data processing activity.

https://klalaw.com.br/en/home/

Brazil

Legislative Framework

acknowledged its legality. This recognition was made in the ANPD's 'Guidelines for Definitions of Personal Data Processors and DPO', where a sub-processor is defined as an entity 'hired by the processor to aid in processing personal data on behalf of the controller.' The Guidelines also clarify that the sub-processor maintains a direct relationship with the processor, rather than with the controller. 4.1.4 Data Protection Officer (“DPO”) The Data Protection Officer (“DPO”) is designated by the controller to serve as the liaison among the controller, data subjects, and the ANPD. According to Article 41, the controller must appoint a DPO, who will oversee the data processing operations. According to ANPD’s resolution[1], small processing agents are exempt from appointing a DPO. These agents include micro-enterprises, small businesses, startups, and legal entities governed by private law, such as non-profit organizations, as defined by current legislation. This category also extends to natural persons and depersonalized private entities involved in personal data processing and undertaking the typical responsibilities of a controller. However, if a small processing agent decides not to appoint a DPO, they must establish an alternative communication channel with the data subjects, to comply with the resolution. [1] CD/ANPD RESOLUTION No. 2, OF JANUARY 27, 2022. Available at: https://www.in.gov.br/en/web/dou/-/resolucao- cd/anpd-n-2-de-27-de-janeiro-de-2022- 376562019#wrapper

4.1.Key stakeholders 4.1.1 Data subject

The term ‘data subject’ refers to the natural person associated with the personal data being processed. Essentially, it denotes the individual who is related to the personal data. 4.1.2. Controller The controller is defined as the "natural or legal person, whether governed by public or private law, who is responsible for decisions relating to the processing of personal data". As the primary authority, the controller decides the purposes for which personal data is processed and sets the guidelines for processors on how to handle this data processing on their behalf. 4.1.3 Processor The processor is defined as the “natural or legal person, whether governed by public or private law, who carries out the processing of personal data on behalf of the controller”. In practical terms, the processor is most often a company hired by the controller to carry out data processing following instructions provided by the controller. Additionally, it is a common practice for processors to engage sub- processors to assist in data processing activities. Although the LGPD did not initially define this concept, the ANPD later

https://klalaw.com.br/en/home/

Brazil

4.2. Role and responsibilities of key stakeholders 4.2.1 Controller The Law defines the controller in Art. 5, item VI as a "natural or legal person, public or private law, to whom the decisions regarding the processing of personal data are incumbent." The controller acts as the key processing entity responsible for setting the purposes for personal data processing. This role involves specifying the objectives, methods, and extent of personal data handling. Under the LGPD, the controller's essential duties include: (i) adopting adequate measures to safeguard the security and confidentiality of personal data; (ii) maintaining records of processing activities (“ROPA”); (iii) providing directives to processors operating under their guidance; (iv) alerting the ANPD about any personal data breaches that require reporting; (v) conducting a Data Protection Impact Assessment (“DPIA”) to secure personal data, particularly sensitive personal data, concerning its processing activities. 4.2.2 Processor The Law defines the processor in Art. 5, item VII as a "natural or legal person, public or private law, who processes personal data on behalf of the controller." As an agent tasked with processing personal data for the controller, the processor has several responsibilities, such as: (i) adhering to the controller's instructions; (ii) maintaining the security and

confidentiality of the personal data; (iii) returning or erasing the personal data upon the controller's request; and (iv) documenting the ROPA. Under the Law, processors are jointly liable with the respective controllers for any damages arising from their processing activities if they violate legal obligations or disregard instructions from the controller. In instances of non-compliance by the processor, they will be considered, for liability purposes under the LGPD, as equivalent to the controller. 4.2.3 DPO The DPO attributions defined by the Law are: “(i) to accept complaints and communications from the data subjects, provide explanations and take action about such communications; (ii) to receive communications from the ANPD and take action about such communications; (iii) to advise the employees and any independent contractors of the company on its practices about the protection of personal data; (iv) to perform any other attributions determined by the controller or established in complementary norms.” Requirements for Data Processing 5.1. Grounds for collection and processing The LGPD provides that personal data processing activities carried out

https://klalaw.com.br/en/home/

Brazil

processing of sensitive personal data can only be carried out: with the express consent of the data subject or person responsible, for specific purposes or; 1. without the consent of the data subject, in cases where it is indispensable for:

by entities may only be performed when relying on the following legal basis: when the data subject has consented to the processing; 1. for the compliance with legal or regulatory obligations by the controller; 2. by the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments, subject to the provisions of Chapter IV of this Law; 3. for carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data; 4. when necessary for the execution of a contract or preliminary procedures relating to a contract to which the data subject is a party; 5. for the regular exercise of rights in judicial, administrative, or arbitral proceedings; 6. for the protection of life and physical integrity of the data subject or third parties; 7. for the protection of health, in procedures performed by professionals of the health area or by sanitary entities; 8. when necessary to comply with the legitimate interests of the controller or of a third party, except when the fundamental rights and freedoms of the data subject prevails; and 9. 10.for the protection of credit. The art. 11 of the LGPD states that the

2. compliance with a legal or regulatory obligation by the controller; 3. shared processing of personal data necessary for the execution, by the public administration, of public policies provided for in laws or regulations;

https://klalaw.com.br/en/home/

Brazil

4. for studies carried out by research bodies, guaranteeing, whenever possible, the anonymization of sensitive personal data; 5. regular exercise of rights, including in contracts and in judicial, administrative, and arbitration proceedings; 6. protection of the life or physical safety of the data subject or a third party; 7. protection of health, exclusively in procedures carried out by health professionals, health services or health authorities; or 8. guaranteeing the prevention of fraud and the security of the data subject in processes of identification and authentication of registration in electronic systems. Remarks on Consent: The LGPD defines consent as a freely given, informed, and unambiguous indication that the data subject agrees with the processing of their personal data for informed purposes. Consent must always be given in writing or by other means that evidence the effective manifestation of the data subject’s free will, always under a clause separate from other contractual clauses and shall relate to determinate purposes, provided that any generic consent shall be deemed null. The data subject may, at any time, revoke their consent through a free and facilitated procedure that must be made available by the controller.

5.2. Data storage and retention timelines Article 15 of the LGPD stipulates that personal data processing must cease upon the occurrence of any of the following conditions: (i) the purpose for processing the personal data has been achieved, or the data is no longer necessary or relevant for that specific purpose; (ii) the designated processing period concludes; (iii) the data subject requests the termination of processing, including as part of their right to withdraw consent, while considering public interest; or (iv) the ANPD mandates cessation due to a breach of the LGPD's regulations. The LGPD mandates that, following the conclusion of personal data processing activities, the personal data must be deleted within the operational and technical constraints of these activities. However, personal data retention is permitted under specific conditions: (i) to fulfill a legal or regulatory obligation by the controller; (ii) for research purposes by a research entity, ensuring anonymization of the personal data whenever possible; (iii) for transfer to a third party, subject to adherence to the LGPD's data processing requirements; or (iv) for the controller's exclusive use, without third-party access, provided the data is anonymized. 5.3. Data correction, completion, updating or erasure of data As established in Section 6.1, Article 18 of the LGPD grants data subjects

https://klalaw.com.br/en/home/

Brazil

different rights regarding their personal data. Among these, individuals have the right to request that the controller correct any incomplete, inaccurate, or outdated personal data at any time upon their request. 5.4. Data protection and security practices and procedures The LGPD mandates that controllers and processors implement technical and administrative safeguards to protect personal data against unauthorized access, as well as against accidental or illegal destruction, loss, alteration, disclosure, or any other form of improper processing. Moreover, the Law encourages the development and implementation of best practices and governance frameworks by these entities. This encompasses addressing organizational conditions, operational protocols, internal procedures (including handling data subject requests), security policies, technical standards, specific responsibilities for those engaged in processing activities, educational initiatives, internal monitoring, and mechanisms for mitigating risks. In this context, the ANPD is empowered to define minimum technical standards for data security and confidentiality. Reflecting this, in 2021, the ANPD released the Information Security Guide for Small Processing Agents to outline a range of security measures tailored to small-scale agents.

5.5. Cross-border transfer of data Article 33 of the LGPD specifies the conditions under which international data transfer is permitted, including: (i) to entities in countries or international organizations that offer a level of personal data protection comparable to the LGPD; (ii) when the controller demonstrates adherence to LGPD principles and data subject rights through specific agreements or mechanisms like standard data protection clauses, corporate rules, or codes of conduct approved by the ANPD; (iii) for international legal cooperation among public intelligence or law enforcement agencies; (iv) to protect the life or physical safety of the data subject or others; (v) with authorization from the ANPD; (vi) under international cooperation agreements; (vii) for executing public policies or services; (viii) with explicit consent from the data subject, clearly informed about the transfer's international aspect; and (ix) to meet the requirements in items II, V, and VI of Article 7. Furthermore, the ANPD is developing a regulation to specifically address international data transfers, covering definitions, requirements, transfer methods, approval processes, and standard contractual clause models for such transfers

https://klalaw.com.br/en/home/

Brazil

6.1. Rights and remedies The LGPD grants data subjects with the following rights, among others: obtain confirmation about the existence of processing activities of their data; access the data that is subject to processing; the right to correct incomplete, inaccurate or outdated data; Rights and Duties of Data Providers/Principals

eliminate data that is processed based on their consent; obtain information about public and private entities with which their data is shared; obtain information on the possibility of not giving their consent and also on the consequences of such an option; revoke their consent; and petition against the controller before the ANPD as well as before consumer defense bodies, where applicable. Data subjects also have the right to request the revision, by a natural person, of decisions made exclusively based on automated personal data processing activities that affect their interests, including any decisions that are destined to define their personal, professional, consumer, or credit profile, or the aspects of their personality. Data subjects shall have simplified access to information about the processing of his/her personal data, which shall be made available in a clear, adequate, and ostensive form, indicating: (i) the specific purposes of processing; (ii) the form and duration of the processing; (iii) the identification and contact information of the controller; (iv) information on the shared use of data by the controller and the purposes of such shared use; (v) the responsibilities of the agents involved in the processing; and (vi) the rights of the data subject.

have unnecessary or excessive data anonymized, blocked or eliminated; portability of data to a different provider of goods or services;

https://klalaw.com.br/en/home/

Brazil

The LGPD is based on the premise that the processing of children's and adolescents' personal data must respect their fundamental rights, especially the right to freedom, privacy, and the free development of their personality. This entails considering the unique needs and preferences of each child or adolescent in an individualized and contextualized manner whenever there are multiple interpretations or applications of the Law. In May 2023, the ANPD released Statement No. 01/CD/ANPD, acknowledging that the processing of personal data of children and adolescents is justified by all the legal bases outlined in the LGPD, as long as the minor's best interests are observed and prevail, to be assessed in the specific case, by art. 14 of the Law. Regulatory Authorities 8.1. Overview of relevant statutory authorities The ANPD, as the central authority responsible for ensuring the Processing of Children or Minors’ data 6.2. Duties No duties are imposed on data subjects under the LGPD. protection of data subjects' personal data, oversees data processing activities and regulates any matters that require further clarification under LGPD. Established as an autarchy of a special nature linked to the Ministry of Justice and Public Security, the ANPD began its activities in November 2020.

In addition to the ANPD, other authorities also play roles in data protection cases within their specific competencies. For instance, the Consumer Protection and Defense Foundation (PROCON) may apply sanctions provided in the Consumer Protection Code to data processing agents who violate data subjects' rights in connection with consumer rights. Meanwhile, the Judiciary Branch is responsible for adjudicating any lawsuits involving privacy and the protection of personal data, such as claims for compensation for moral or material damages arising from data leaks or misuse of personal data. 8.2. Role, functions and powers of authorities Among the functions and powers assigned to the ANPD are the duties to (i) ensure the rights of data subjects, (ii) supervise personal data processing activities carried out by public and private agents, (iii) apply administrative sanctions in the event of violations of the LGPD, (iv) guiding and educating society on the rights and duties related to personal data, and (v) promoting national and international cooperation on the subject. 8.3. Role, functions and powers of civil/criminal courts in the field of data regulation The Judiciary Branch's role is to analyze, interpret the LGPD, and resolve legal disputes concerning privacy and data protection.

https://klalaw.com.br/en/home/

Brazil

Importantly, Article 43 of the LGPD outlines scenarios in which processing agents may be exempt from liability. These exemptions apply if the processing agents can demonstrate (i) that they did not perform the personal data processing activity assigned to them; (ii) that they did perform the assigned processing activity, but there was no violation of data protection legislation; or (iii) that the damage is solely due to the fault of the data subject or a third party. 9.2. Consequences and penalties for other violations and non- compliance Article 52 of the LGPD outlines a comprehensive range of administrative sanctions for data processing agents found in violation of its regulations, emphasizing the law's commitment to enforcing data protection principles. The potential sanctions include: (i) warning, with a deadline for adopting corrective measures; (ii) fines up to two percent (2%) of the turnover of the private legal entity, group, or conglomerate in Brazil for the last financial year, excluding taxes, with a cap of fifty million reais (R$50,000,000.00) per infraction; (iii) daily fines, subject to the total limit of fifty million reais (R$50,000,000.00); (iv) publicization of the infringement after its occurrence has been duly ascertained and confirmed; (v) blocking of the personal data to which the infringement relates until the activity is regularized; (vi)

However, it does not have the authority to regulate data protection matters. Instead, its responsibility is to enforce and apply the regulations and guidelines already established by the LGPD and the ANPD. Consequences of non- compliance 9 .1.Consequences and penalties for data breach Article 48 of the LGPD mandates that any controller or processor who, due to their personal data processing activities, causes property, moral, individual, or collective damage to others in violation of the LGPD, is required to provide compensation for such damage. This ensures that data subjects receive effective compensation for any harm they suffer due to non-compliance with data protection laws. The LGPD stipulates that processors share joint and several liability with controllers for any damages caused by processing activities. This applies if they fail to comply with data protection laws or disregard lawful instructions from the controller. In such cases, processors are held equally responsible alongside controllers for any resulting damages. Additionally, in cases where there are joint controllers directly involved in the processing activity that leads to damage, they are deemed jointly and severally liable. This means that each controller can be held responsible for the full amount of the damage, providing a stronger protection mechanism for data subjects.

https://klalaw.com.br/en/home/

Brazil

Conclusion

deletion of the personal data to which the infringement relates; (vii) partial suspension of the operation of the database to which the infringement relates for a maximum period of six (6) months, extendable for the same period, until the controller regularizes the personal data processing activity; (viii) suspension of the personal data processing activity to which the infringement relates for a maximum period of six (6) months, extendable for an equal period; and (ix) partial or total prohibition of the exercise of activities related to personal data processing. The LGPD ensures that the application of these sanctions considers a variety of factors, such as the severity and nature of the breaches; good faith of the breaching party; economic condition of the breaching party; extent of the damage; and cooperation of the breaching party with the authorities.

Brazil has taken significant steps in data protection regulation with the enforcement of the LGPD in recent years. This landmark legislation serves as a cornerstone for protecting personal data, ensuring compliance with key principles, and aligning Brazil with international privacy and data protection standards. The ANPD plays a crucial role in this landscape, actively enforcing the LGPD's requirements for data controllers and processors. This collaborative effort between the legislative framework and the ANPD marks a major advance in Brazil's approach to data protection. This positions the country as a player in the global dialogue on data protection standards.

Contact Us

+55 (11) 3799-8100 https://klalaw.com.br/en/home/ accesar@klalaw.com.br Av. Brigadeiro Faria Lima, 1355 São Paulo, SP 01452-919 Brazil

Canada

Canada As a federal state with law-making powers shared between federal and provincial/territorial governments, Canada has both federal and provincial/territorial privacy laws that govern the private and public sectors (as of March 2023, there are 36 different privacy laws federally, provincially and territorially in Canada). Canada's two federal privacy laws are: the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA); and the Privacy Act, R.S.C., 1985, c. P-21 (the Privacy Act). Currently, three provinces have legislation that is deemed substantially similar to PIPEDA: Introduction

the Information Protection Act, SA 2003 c P-6.5 (Alberta); the Personal Information Protection Act, SBC 2003, c 63 (British Columbia); and Personal an Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 (Quebec). The Privacy Commissioner of Canada (the Commissioner) oversees PIPEDA and the Privacy Act. The Commissioner is an independent agent of Parliament and heads the Office of the Privacy Commissioner of Canada (the OPC). While PIPEDA regulates the private sector and generally applies across Canada, the Privacy Act is a limited statute in that it applies only to federal government institutions and Crown corporations. This chapter will highlight the key provisions of PIPEDA, as the principal legislation for private sector privacy law in Canada. The chapter will not address provincial privacy laws, public sector privacy laws, or personal health information laws at the federal or provincial levels.

Contact Us (416) 864 9700

https://www.foglers.com/ bhearn@foglers.com 77 King Street West Suite 3000, TD Centre North Tower Toronto, Ontario M5K 1G8 Canada

Canada

1.1. Overview of principal legislation Enacted in 2001, PIPEDA regulates the collection, use and disclosure of personal information by organizations in the course of commercial activities in Canada. It aims to balance an individual's right to privacy with an organization's need to collect, use, and disclose personal information. PIPEDA applies regardless of the technology employed. 1.2. Upcoming or proposed legislation The Federal Government has tabled Bill C-27, the Digital Charter Implementation Act, 2022. If passed, Bill C-27 would implement three new pieces of federal legislation: the Consumer Privacy Protection Act (CPPA); the Personal Information and Data Protection Tribunal Act (PIDPTA); and the Artificial Intelligence and Data Act (AIDA). The Federal Government has also tabled Bill C-26, legislation aimed at preventing cybersecurity incidents. There are ongoing provincial privacy law reform initiatives in Ontario, British Columbia and Alberta. Governing Data Protection Legislation

Consumer Privacy Protection Act (CPPA) If enacted, the CPPA would replace PIPEDA. It differs from PIPEDA in several key respects, some of which will be highlighted in this chapter. Personal Information and Data Protection Tribunal Act (PIDPTA) PIDPTA would establish the federal Personal Information and Data Protection Tribunal (the "Tribunal"). The Tribunal would hear appeals of certain findings, orders or decisions made by the Commissioner and impose administrative penalties of up to a maximum of C$10 million or 3% of the organization's gross global revenue, whichever is higher.

https://www.foglers.com/

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135

www.iln.com

Made with FlippingBook - PDF hosting