Brazil
4.2. Role and responsibilities of key stakeholders 4.2.1 Controller The Law defines the controller in Art. 5, item VI as a "natural or legal person, public or private law, to whom the decisions regarding the processing of personal data are incumbent." The controller acts as the key processing entity responsible for setting the purposes for personal data processing. This role involves specifying the objectives, methods, and extent of personal data handling. Under the LGPD, the controller's essential duties include: (i) adopting adequate measures to safeguard the security and confidentiality of personal data; (ii) maintaining records of processing activities (“ROPA”); (iii) providing directives to processors operating under their guidance; (iv) alerting the ANPD about any personal data breaches that require reporting; (v) conducting a Data Protection Impact Assessment (“DPIA”) to secure personal data, particularly sensitive personal data, concerning its processing activities. 4.2.2 Processor The Law defines the processor in Art. 5, item VII as a "natural or legal person, public or private law, who processes personal data on behalf of the controller." As an agent tasked with processing personal data for the controller, the processor has several responsibilities, such as: (i) adhering to the controller's instructions; (ii) maintaining the security and
confidentiality of the personal data; (iii) returning or erasing the personal data upon the controller's request; and (iv) documenting the ROPA. Under the Law, processors are jointly liable with the respective controllers for any damages arising from their processing activities if they violate legal obligations or disregard instructions from the controller. In instances of non-compliance by the processor, they will be considered, for liability purposes under the LGPD, as equivalent to the controller. 4.2.3 DPO The DPO attributions defined by the Law are: “(i) to accept complaints and communications from the data subjects, provide explanations and take action about such communications; (ii) to receive communications from the ANPD and take action about such communications; (iii) to advise the employees and any independent contractors of the company on its practices about the protection of personal data; (iv) to perform any other attributions determined by the controller or established in complementary norms.” Requirements for Data Processing 5.1. Grounds for collection and processing The LGPD provides that personal data processing activities carried out
https://klalaw.com.br/en/home/
Made with FlippingBook - PDF hosting