Brazil
(i) the purpose for processing the personal data has been achieved, or the data is no longer necessary or relevant for that specific purpose; (ii) the designated processing period concludes; (iii) the data subject requests the termination of processing, including as part of their right to withdraw consent, while considering public interest; or (iv) the ANPD mandates cessation due to a breach of the LGPD's regulations. The LGPD mandates that, following the conclusion of personal data processing activities, the personal data must be deleted within the operational and technical constraints of these activities. However, personal data retention is permitted under specific conditions: (i) to fulfill a legal or regulatory obligation by the controller; (ii) for research purposes by a research entity, ensuring anonymization of the personal data whenever possible; (iii) for transfer to a third party, subject to adherence to the LGPD's data processing requirements; or (iv) for the controller's exclusive use, without third-party access, provided the data is anonymized. 5.3 Data correction, completion, updating, or erasure of data As established in Section 6.1, Article 18 of the LGPD grants data subjects different rights regarding their personal data. Among these, individuals have the right to request that the controller correct any incomplete, inaccurate, or outdated personal data at any time upon their request. 5.4 Data protection and security practices and procedures https://klalaw.com.br/en/home/
The LGPD mandates that controllers and processors implement technical and administrative safeguards to protect personal data against unauthorized access, as well as against accidental or illegal destruction, loss, alteration, disclosure, or any other form of improper processing. Moreover, the Law encourages the development and implementation of best practices and governance frameworks by these entities. This encompasses addressing organizational conditions, operational protocols, internal procedures (including handling data subject requests), security policies, technical standards, specific responsibilities for those engaged in processing activities, educational initiatives, internal monitoring, and mechanisms for mitigating risks. In this context, the ANPD is empowered to define minimum technical standards for data security and confidentiality. Reflecting this, in 2021, the ANPD released the Information Security Guide for Small Processing Agents to outline a range of security measures tailored to small-scale agents. 5.5 Cross-border transfer of data Article 33 of the LGPD specifies the conditions under which international data transfer is permitted, including: (i) to entities in countries or international organizations that offer a level of personal data protection comparable to the LGPD;
Made with FlippingBook - PDF hosting