Brazil
This applies if the activity meets any of the following conditions: (i) the processing occurs in Brazil; (ii) the processing aims to offer goods or services or involves handling personal data of individuals in Brazil; or (iii) the personal data being processed was collected in Brazil. Consequently, due to the extraterritorial application of the LGPD, factors such as the country of incorporation or location of the processing agents' head offices, the nationality and residence of the data subjects, and the location of the data are deemed irrelevant in determining whether the LGPD applies to a specific personal data processing activity. Legislative Framework The term ‘data subject’ refers to the natural person associated with the personal data being processed. Essentially, it denotes the individual who is related to the personal data. 4.1.2. Controller The controller is defined as the "natural or legal person, whether governed by public or private law, who is responsible for decisions relating to the processing of personal data". As the primary authority, the controller decides the purposes for which personal data is processed and sets the guidelines for processors on how to handle this data processing on their behalf. 4.1.Key stakeholders 4.1.1 Data subject
4.1.3 Processor The processor is defined as the “natural or legal person, whether governed by public or private law, who carries out the processing of personal data on behalf of the controller”. In practical terms, the processor is most often a company hired by the controller to carry out data processing following instructions provided by the controller. Additionally, it is a common practice for processors to engage sub- processors to assist in data processing activities. Although the LGPD did not initially define this concept, the ANPD later acknowledged its legality. This recognition was made in the ANPD's 'Guidelines for Definitions of Personal Data Processors and DPO', where a sub-processor is defined as an entity 'hired by the processor to aid in processing personal data on behalf of the controller.' The Guidelines also clarify that the sub-processor maintains a direct relationship with the processor, rather than with the controller. 4.1.4 Data Protection Officer (“DPO”) The Data Protection Officer (“DPO”) is designated by the controller to serve as the liaison among the controller, data subjects, and the ANPD. According to Article 41, the controller must appoint a DPO, who will oversee the data processing operations.
https://klalaw.com.br/en/home/
Made with FlippingBook - PDF hosting