(Aug. 28, 2018) On August 14, 2018, Brazil enacted Law No. 13,709 for the protection of personal data in the country. (Lei No. 13.709, de 14 de Agosto de 2018, Presidency of the Republic website).
Article 1 of the Law provides for the processing of personal data, including digital media, by either a natural person or public or private legal entity, for the purpose of protecting a person’s fundamental rights of freedom, privacy, and free development of personality.
The protection of personal data is based on respect for privacy; informational self-determination; freedom of expression, information, communication, and opinion; the inviolability of intimacy, honor, and image; economic and technological development and innovation; free enterprise, free competition, and consumer protection; and human rights, free development of personality, dignity, and the exercise of citizenship by natural persons. (Id. art. 2.)
Law No. 13,709 applies to any data processing carried out by either a natural person or public or private legal entity, regardless of the means, the country of the legal entity’s headquarters, or the country in which the data are located, provided that
- the processing is carried out in the national territory,
- the purpose of the processing is the offer or supply of goods or services or the processing of data of individuals located in the national territory, and
- the personal data object of the processing has been collected in the national territory. (Id. art. 3.)
The data are considered to have been collected in the national territory when the holder of the personal data was located in Brazil at the time of the collection. (Id. art. 3(§ 1).)
Article 4 determines the situations to which Law No. 13,709 does not apply, while article 5 defines several concepts related to the Law, including, but not limited to, personal data, data banks, controller, operator, processing, international transfer of data, and national authority. The processing of personal data must be done in good faith and in accordance with the principles listed in article 6 of the Law. (Id. art. 6.)
In accordance with article 7, the processing of personal data may be carried out only
- with the consent of the holder;
- for compliance with a legal or regulatory obligation by the controller;
- by the public administration, for the treatment and shared use of data necessary for the execution of public policies provided for in laws and regulations or backed by contracts, agreements or similar instruments, subject to the provisions of chapter IV of Law No. 13,709;
- to carry out studies by a research body, guaranteeing, whenever possible, the anonymization of personal data;
- when necessary for the execution of a contract or preliminary procedures related to a contract of which the holder is a party, at the request of the data owner;
- for the regular exercise of rights in judicial, administrative or arbitral proceedings, the latter in accordance with Law No. 9,307 of September 23, 1996 (Arbitration Law);
- for the protection of the life or physical safety of the holder or third party;
- for the protection of health, in a procedure carried out by health professionals or by health entities;
- when necessary to meet the legitimate interests of the controller or of a third party, except in the case of the holder’s fundamental rights and freedoms that require the protection of personal data; or
- for the protection of credit, including in relation to the provisions in the pertinent legislation.
Law No. 13,709 further determines that the consent mentioned above must be provided in writing or by other means that demonstrates the expression of will of the holder (id. art. 8), and that the holder has the right to easy access to information on the processing of his or her data, which should be made available in a clear, adequate, and ostensible manner, among other characteristics provided for in a regulation concerning compliance with the principle of free access (id. art. 9).
The controller or the operator who, due to the exercise of the processing of personal data, causes to another party property, moral, individual, or collective damage, in violation of the legislation on the protection of personal data, is obliged to repair it. (Id. art. 42.) Data processing agents are subject to administrative sanctions for infractions to the norms provided for in Law No. 13,709. (Id. art. 52.)
A foreign company must be notified and summonsed of all procedural acts provided for in Law No. 13,709, regardless of power of attorney or contractual or statutory provisions, in the person of the agent or representative, or person responsible for its branch, agency, establishment, or office installed in Brazil. (Id. art. 62.)