CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

General Data Protection Law ("LGPD") 13,709/2018, a comprehensive data protection law comparable to the GDPR. 

Law on Personal Data Protection ("RS Official Gazette", No. 87/2018) (the “PDP Law”)

2. Data protection authority

National Authority of Data Protection ("ANPD”) 

Commissioner for Information of Public Importance and Personal Data Protection (the “Commissioner”)
http://www.poverenik.rs/index.php

3. Anticipated changes to local laws

The LGPD came into force on 18 September 2020. However, the law was amended in 2020, postponing the application of the administrative sanctions to 1 August 2021. 

There are no anticipated changes.

4. Sanctions & non-compliance

Administrative sanctions: 
  • warning; 
  • fine of up to 2% of the entity, group or conglomerate in Brazil’s revenue in its last fiscal year limited to BRL 50m for infraction;
  • daily fine;
  • publication of infraction;
  • blockage of personal data that relates to infraction for regularisation; 
  • erasure of personal data that refers to infraction.
Criminal sanctions: 

None.

Others: 

Individual claims for damages and losses caused for violation of personal data. 

Claims from the Consumer Protection Units and Public Prosecutor for damages and losses caused for violation of the data subject's personal data. 

Monetary fines:

The PDP Law introduces penalties for legal entities and responsible persons in legal entities in case of acting contrary to the provisions of the PDP Law.

It imposes monetary fines for the violations of the legal entity in the range between RSD 50,000 and RSD 2m (EUR 450 to 16,000) and for the responsible person in legal entity in the range between RSD 5,000 and RSD 150,000 (EUR 40 to EUR 1,200).

The legal entity may also have to pay a fine of up to 10% of an undertaking’s income realised in Serbia in the previous year, in case of not applying or infringing the data protection authority’s order of limitation on processing or suspension of data flows.

Criminal liability:

The Serbian Criminal Act prescribes the unauthorised collection of the personal data as a felony. Therefore, it cannot be excluded that natural person who acts contrary to the provisions of the PDP Law, would be subject to potential criminal liability.

Others: 
  • Reputational risk;
  • Reimbursement of potential damages (material and non-material)

5. Registration / notification / authorisation

Provision for notification to the ANPD and data subjects of security incidents that may cause a risk or relevant damage to data subjects. 

There is no requirement to register data processing activities, databases or cross-border flow with the ANPD. There is no provision for payment of the data protection fee. 

N/A

6. Main obligations and processing requirements

The Controller and Data Processor must comply with the principle of good faith and the following principles: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, liability and demonstration of compliance with the law. 

The Data Controller and Data Processor shall keep records of the processing of personal data. 

The Controller shall appoint an "in charge person" (DPO) who shall act as a communication channel between the Controller, Data Subject and the ANPD.

The processing agents shall adopt security, technical and administrative measures to protect personal data from unauthorised access, or illicit or accidental incidents that leads to the destruction, loss, alteration, communication or any other form of illicit or inadequate access. 

The Controller must notify the ANPD and the data subjects of any security incident that could result in a risk or relevant damage to data subjects.

  • Maintaining records of processing activities;
  • Implementing appropriate technical, organisational and human resources measures;
  • Cooperating with the Commissioner;
  • Information requirement;
  • Appropriate legal grounds for processing;
  • Complying with restrictions on transfers of personal data;
  • Appointing a Data Protection Officer, where applicable;
  • Notifying personal data breaches to Data Subject and Commissioner, in accordance with PDP Law;
  • Conducting Data Protection Impact Assessment, where applicable;
  • To enable the Data Subject’s rights in accordance with PDP Law

7. Data subject rights

The Data Subject has the following rights:

  • confirmation of existence of personal data;
  • access to data;
  • correction of incomplete, inadequate or out of date data;
  • anonymisation, block, or erasure of unnecessary, excessive or incompliant processed data;
  • portability of data;
  • erasure of personal data obtained with consent; 
  • information regarding the sharing of data with private and public entities;
  • information on the possibility of not providing consent and the negative consequences;
  • revocation of consent;
  • complaint about data processing to the ANPD;
  • opposition to data processing obtained without consent, if it is not in compliance with the law;
  • review of automated decision making of personal data that may affect the data subject´s interests. 

Data subject has the following rights: 

  • to be informed; 
  • to access; 
  • to rectification and supplement;
  • to erasure of personal data;
  • to restriction of processing;
  • to personal data portability; and
  • to object

8. Processing by third parties

Processing by third parties is subject to the data subject’s consent. 

Where the processor engages another sub-processor the same data protection obligations as set out in the PDP Law or Data Protection Agreement signed between the controller and the processor is imposed on that sub-processor by way of an agreement or other legal act signed between processor and sub-processor in particular providing sufficient guarantees to implement appropriate technical, organisational and human resources measures in such a manner that the processing will meet the requirements of the PDP Law. In the situation where the sub-processor fails to fulfil its personal data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that sub-processor’s obligations.

9. Transfers out of country

The international transfer of personal data is allowed in the following cases: 

  • to countries or international organisations that provide the appropriate level of personal data protection required by the LGPD;
  • where the controller demonstrates that compliance with the principles, data subject rights and data protection regime established in the LGPD, is assured either by: a) specific contractual provisions for a given transfer; b) standard terms and conditions; c) global corporate rules; d) seals, certificates or codes of conduct; 
  • where the transfer is required for international legal cooperation between government intelligence, investigation and police bodies; 
  • where the transfer is required for life protection or physical integrity of the data subject or any third party; 
  • where the ANPD authorises such a transfer; 
  • where the transfer results in a commitment undertaken under an international cooperation agreement; 
  • where the transfer is required for enforcement of a public policy or legal attribution of the public utility; 
  • where the data subject has provided specific and highlighted consent for such a transfer, with previous information on the international nature of the operation, clearly distinguishing it from any other purposes; or
  • where required for compliance with a statutory or regulatory obligation by the controller or whenever necessary for the performance of agreements or preliminary procedures relating to agreements to which the data subject is a party, at the request of the data subject or in the regular exercise of rights in lawsuits, administrative or arbitration proceedings.

Data transfer to the countries not specified in the PDP Law or in the “white list”, is allowed only if the controller/processor has ensured appropriate safeguards, prescribed by the PDP Law, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. 

The following are considered to be appropriate safeguards under the PDP Law: 

  • A legally binding and enforceable instrument between public authorities or bodies;
  • Standard Data Protection clauses adopted by the Commissioner that regulate the legal relationship of the Controller and the Processor;
  • Binding corporate rules approved by the Commissioner; 
  • An approved code of conduct with binding and enforceable commitments of the controller/processor in the third country to apply the appropriate safeguards, or an approved certification mechanism.

10. Data Protection Officer

An “in charge” person shall be appointed by the Controller to:

  • accept complaints and communication by data subjects, provide clarification and take measures;
  • receive communication from the ANPD and take appropriate measures;
  • instruct staff and contractors in respect of data processing practices; and
  • perform any other instructions by the Controller or established by complimentary rules. 

The controllers and processors are required to designate a data protection officer (“DPO“), if: (a) the processing is carried out by a public authority, (b) the core activities of the controller/processor require the regular and systematic monitoring of data subjects on a large scale, or the large scale processing of special categories of personal data – e.g. health data or trade union memberships, or criminal convictions/offences data.

11. Security

The LGPD establishes that the ANPD may provide for minimum standard technical security measures. 
The processing agents shall adopt security, technical and administrative measures to protect personal data from unauthorised access, or illicit or accidental incidents that leads to the destruction, loss, alteration, communication or any other form of illicit or inadequate access. 

Data controllers and data processors shall take all necessary technical, human resources and organisational measures to protect data in accordance with the established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse, as well as to provide for an obligation of keeping data confidentiality for all persons who work on data processing.

12. Breach notification

The Controller is required to report any security incident to the ANPD and the data subjects in the event of incidents that may cause a risk or relevant damages to data subjects. It is also recommended to report the incidents to the company’s sector regulator or consumer protection units (if related to consumer relations). 

If data breach may create a risk to rights and freedoms of natural persons, the controller must notify the Commissioner without undue delay and, not later than 72 hours after becoming aware of the breach.

If data breach may create a high risk to the rights and freedoms of natural person, the controller is obliged to notify the affected data subject without undue delay.

13. Direct marketing

The LGPD does not specifically provide for direct marketing, but it is understood that the data processing for direct marketing requires the data subject’s consent.

A prior information consent of a data subject (a natural person) is required in case of direct marketing (via mail, email, phone, etc.). The data subject must be able to withdraw consent at any time. If the data subject no longer wants to receive advertising messages, the advertiser must stop direct marketing. 

These rules do not apply to natural persons who perform business activity in relation to such business activity.

14. Cookies and adtech

The LGPD does not specifically deal with cookies and adtech, but it is understood that the data processing for cookies and adtech requires the data subject’s consent.

Not regulated, so general personal data protection rules apply.

15. Risk scale

Moderate

Moderate

Commissioner for Personal Data Protection website: https://www.poverenik.rs/en/

Cybersecurity

1. Local cybersecurity laws and scope

There are no dedicated laws related specifically to cybersecurity in Brazil. However:

  • The Consumer Code and the Internet Act provide for certain principles and rules; 
  • The Criminal Code (Decree Law 2,848/1940) establishes the crime of “invasion” of a computing device;
  • LGPD extends to any category of personal data (both offline and online).

The Law on Information Security (“Official Gazette of RS", Nos. 6/2016, 94/2017 and 77/2019”) (“Law”)

2. Anticipated changes to local laws

Despite the lack of cybersecurity-specific law or regulator, an “E-Ciber” strategy was introduced in 2020: 

  • It aims to make Brazil into a “country of excellence” in the sector;
  • It has set out ten strategic ways to strengthen the cybersecurity arena, including: centralisation of the national cybersecurity system; an increase in international cooperation; an improvement in cyber governance in both the public and private sectors; and enhanced protection of critical infrastructure;
  • It also envisages the creation of a new cybersecurity law (yet to materialise).

There are no anticipated changes.

3. Application 

Not applicable.

The Law specifies measures for the protection from security risks in information and communications systems, the liability of legal entities during management and use of information and communications systems and designates competent authorities responsible for the execution of protection measures, coordination between protection factors and monitoring of the proper application of the prescribed protection measures, software and software development tools.

4. Authority

Brazil does not have a cybersecurity-specific regulator. The regulatory authority for cybercrime is the Ministry of Justice and Public Security.

5. Key obligations 

Not applicable.

  • Adopting an internal by-law on security of information and communication system and implementing security measures
  • Need to appoint a person or organisational unit for security supervision of information and communication system
  • Need to provide a report on internal control of information and communication system
  • Mandatory reporting of incidents related to information and communication system

6. Sanctions & non-compliance 

Administrative sanctions:

Under the LGPD:

  • warning; 
  • fine of up to 2% of the entity, group or conglomerate in Brazilian revenue in its last fiscal year limited to BRL 50m for infraction;
  • daily fine;
  • publication of infraction;
  • blockage of personal data that relates to infraction for regularisation; 
  • erasure of personal data that refers to infraction.
Criminal sanctions:

A breach of an IT device could be subject to a fine and imprisonment (from three months to two years).

Others: 

Under the LGPD:

Individual claims for damages and losses caused for violation of personal data. Claims from the Consumer Protection Units and Public Prosecutor for damages and losses caused for violating the data subject's personal data. 

Monetary fines:

Fine of up to RSD 2m (EUR 16,800) for a legal entity and up to RSD 50,000 (approx. EUR 400) for a responsible person within the legal entity.

Criminal sanctions:

N/A

Others: 
  • Reputational risk
  • Reimbursement of the potential damages (material and non-material)

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

CERT.br is the Brazilian National Computer Emergency Response Team.

A list of CSIRTs can be found here: www.cert.br

Yes. Tasks of the national CERT are assigned to the Regulatory Agency for Electronic Communications and Postal Services (RATEL).

8. National cybersecurity incident management structure

N/A

The Serbian Government established a body to coordinate work on information security and adopted a Decree on the procedure for Notifying on Incidents relating to Information and Communication System of Particular Importance.

9. Other cybersecurity initiatives 

Cybersecurity law as envisaged by E-Ciber, but this has yet to materialise.

N/A.

Portrait of Carolina Vaissman Uribe
Carolina Vaissman Uribe
Senior Associate
Rio de Janeiro
Portrait of Jelena Đorđević
Jelena Đorđević
Attorney-at-Law
Belgrade
Portrait of Ksenija Ivetić Marlović
Ksenija Ivetić Marlović
Attorney-at-Law
Belgrade
Mina Radonjic