ILN Data Privacy Paper

Brazil

2.2. Additional or ancillary regulation, directives or norms A key provision of the LGPD is the establishment of the Brazilian Data Protection Authority (“ANPD”). Beyond its main role in overseeing data processing and legislation adherence, the ANPD also offers comprehensive guidance and clarification on complex and important issues encountered by data controllers in their operations. The ANPD has issued several regulations to enhance clarity and compliance within the LGPD framework, including the Regulation of the Inspection and Administrative Sanctioning Processes, specific to the ANPD's role and authority. The Authority has also issued regulations for applying the LGPD to small-scale data controllers and on the application of penalties, among others. Scope of Application 3.1. Legislative Scope The LGPD applies to any personal data processing activity carried out by individuals or legal entities, whether private or public. This applies regardless of the processing method (online or offline), the company's headquarters location, or the data's location, provided that: (i) the processing is performed in national territory; (ii) the processing activity has the purpose of offering or providing goods or services to individuals located in the national territory; (iii) the processing activities have, as purpose, the processing of data from individuals located in the

national territory; or (iv) when the personal data has been collected in the national territory. The country in which the processing agents were incorporated or have head offices, the nationality and place of residence of the data subjects and the country where the data is located are all elements that are considered irrelevant to the assessment of whether the LGPD shall apply to a given processing activity. 3.1.1. Definition of personal data Personal data is defined as any information related to an identified or identifiable natural person. Under the LGPD, personal data encompasses not only directly identifying information, such as names, and identification numbers, but also information that, when combined or utilized in conjunction, enables the identification of an individual. 3.1.2. Definition of different categories of personal data Sensitive personal data is classified as any personal information related to an individual's racial or ethnic origin, religious beliefs, political opinions, membership in trade unions, or religious, philosophical, or political organizations, as well as data concerning health, sexual life, and genetic or biometric details. The processing of these categories of personal data poses significant risks

https://klalaw.com.br/en/home/

Made with FlippingBook - PDF hosting