CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

General Data Protection Law ("LGPD") 13,709/2018, a comprehensive data protection law comparable to the GDPR. 

  • The Personal Data Protection Act (“ZVOP-1”) is an act that became applicable prior to the EU General Data Protection Regulation (“EU GDPR”) and considering Slovenia has not yet adopted a new act which would supplement the EU GDPR, provisions which are not regulated by the EU GDPR and which do not conflict with it still apply.
  • The Information Commissioner Act (“ZInfP”) sets the competences and powers of the Information Commissioner.
  • The Electronic Communications Act (“ZEKom-1”) sets the requirements for electronic communications networks and services, including cookies and direct marketing by electronic means. ZEKom-1 implemented the EU Privacy and Electronic Communications Directive (e-Privacy Directive) in Slovenia. 

2. Data protection authority

National Authority of Data Protection ("ANPD”) 

Information Commissioner of the Republic of Slovenia: https://www.ip-rs.si/en/

3. Anticipated changes to local laws

The LGPD came into force on 18 September 2020. However, the law was amended in 2020, postponing the application of the administrative sanctions to 1 August 2021. 

Supplementing the EU GDPR

Expected adoption of the new Personal Data Protection Act (“ZVOP-2”), which would ensure the implementation of the EU GDPR.

ePrivacy

The new EU ePrivacy Regulation is set to replace the ePrivacy Directive in relation to the privacy of electronic communications. In effect, this will replace local EU Member State ePrivacy laws.

4. Sanctions & non-compliance

Administrative sanctions: 
  • warning; 
  • fine of up to 2% of the entity, group or conglomerate in Brazil’s revenue in its last fiscal year limited to BRL 50m for infraction;
  • daily fine;
  • publication of infraction;
  • blockage of personal data that relates to infraction for regularisation; 
  • erasure of personal data that refers to infraction.
Criminal sanctions: 

None.

Others: 

Individual claims for damages and losses caused for violation of personal data. 

Claims from the Consumer Protection Units and Public Prosecutor for damages and losses caused for violation of the data subject's personal data. 

Administrative sanctions:

Until ZVOP-2, which would ensure the implementation of the EU GDPR, is adopted, the Information Commissioner does not have legal ground for imposing administrative fines under the EU GDPR, but only fines under the ZVOP-1, which are not contrary to the EU GDPR.  

Fines under ZVOP-1 amount up to EUR 12,500.

Criminal sanctions:

In the event of a criminal offence of misuse of personal data, a fine or imprisonment from one to five years may be imposed.

Others: 

The Information Commissioner also has the powers under the Inspections Act.  

A data subject may (in addition to making a complaint to the Information Commissioner) also make a claim to the courts for compensation for material or non-material damage (which may include distress). 

5. Registration / notification / authorisation

Provision for notification to the ANPD and data subjects of security incidents that may cause a risk or relevant damage to data subjects. 

There is no requirement to register data processing activities, databases or cross-border flow with the ANPD. There is no provision for payment of the data protection fee. 

N/A

6. Main obligations and processing requirements

The Controller and Data Processor must comply with the principle of good faith and the following principles: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, liability and demonstration of compliance with the law. 

The Data Controller and Data Processor shall keep records of the processing of personal data. 

The Controller shall appoint an "in charge person" (DPO) who shall act as a communication channel between the Controller, Data Subject and the ANPD.

The processing agents shall adopt security, technical and administrative measures to protect personal data from unauthorised access, or illicit or accidental incidents that leads to the destruction, loss, alteration, communication or any other form of illicit or inadequate access. 

The Controller must notify the ANPD and the data subjects of any security incident that could result in a risk or relevant damage to data subjects.

Watch out for specifics regarding video surveillance, biometrics and employment.

7. Data subject rights

The Data Subject has the following rights:

  • confirmation of existence of personal data;
  • access to data;
  • correction of incomplete, inadequate or out of date data;
  • anonymisation, block, or erasure of unnecessary, excessive or incompliant processed data;
  • portability of data;
  • erasure of personal data obtained with consent; 
  • information regarding the sharing of data with private and public entities;
  • information on the possibility of not providing consent and the negative consequences;
  • revocation of consent;
  • complaint about data processing to the ANPD;
  • opposition to data processing obtained without consent, if it is not in compliance with the law;
  • review of automated decision making of personal data that may affect the data subject´s interests. 

There are no substantive derogations from the EU GDPR.

8. Processing by third parties

Processing by third parties is subject to the data subject’s consent. 

Since the ZVOP-1 provisions on security of data still apply, the data procession agreement must lay down data processing activities and appropriate technical and organisational security measures to protect personal data; a mere reference to proper handling of personal data and compliance with the provisions of data protection legislation does not suffice.

9. Transfers out of country

The international transfer of personal data is allowed in the following cases: 

  • to countries or international organisations that provide the appropriate level of personal data protection required by the LGPD;
  • where the controller demonstrates that compliance with the principles, data subject rights and data protection regime established in the LGPD, is assured either by: a) specific contractual provisions for a given transfer; b) standard terms and conditions; c) global corporate rules; d) seals, certificates or codes of conduct; 
  • where the transfer is required for international legal cooperation between government intelligence, investigation and police bodies; 
  • where the transfer is required for life protection or physical integrity of the data subject or any third party; 
  • where the ANPD authorises such a transfer; 
  • where the transfer results in a commitment undertaken under an international cooperation agreement; 
  • where the transfer is required for enforcement of a public policy or legal attribution of the public utility; 
  • where the data subject has provided specific and highlighted consent for such a transfer, with previous information on the international nature of the operation, clearly distinguishing it from any other purposes; or
  • where required for compliance with a statutory or regulatory obligation by the controller or whenever necessary for the performance of agreements or preliminary procedures relating to agreements to which the data subject is a party, at the request of the data subject or in the regular exercise of rights in lawsuits, administrative or arbitration proceedings.

There are no substantive derogations from the EU GDPR.

10. Data Protection Officer

An “in charge” person shall be appointed by the Controller to:

  • accept complaints and communication by data subjects, provide clarification and take measures;
  • receive communication from the ANPD and take appropriate measures;
  • instruct staff and contractors in respect of data processing practices; and
  • perform any other instructions by the Controller or established by complimentary rules. 

There are no substantive derogations from the EU GDPR.

11. Security

The LGPD establishes that the ANPD may provide for minimum standard technical security measures. 
The processing agents shall adopt security, technical and administrative measures to protect personal data from unauthorised access, or illicit or accidental incidents that leads to the destruction, loss, alteration, communication or any other form of illicit or inadequate access. 

There are no substantive derogations from the EU GDPR, however some provisions of the ZVOP-1 still apply. For example, data controllers must adopt a general act that provides procedures and measures for the protection of personal data and determine the persons responsible for certain personal databases and persons who, due to the nature of their work, may process certain personal data. 

12. Breach notification

The Controller is required to report any security incident to the ANPD and the data subjects in the event of incidents that may cause a risk or relevant damages to data subjects. It is also recommended to report the incidents to the company’s sector regulator or consumer protection units (if related to consumer relations). 

There are no substantive derogations from the EU GDPR.

13. Direct marketing

The LGPD does not specifically provide for direct marketing, but it is understood that the data processing for direct marketing requires the data subject’s consent.

If by email: ZEKom-1 prohibits the use of email addresses for direct marketing purposes without the customer’s prior consent, unless:

  • the customer purchased a product or service from the person proposing to undertake the marketing;
  • the direct marketing relates to an offering of the person proposing to undertake the marketing their own similar goods or services; and
  • the customer was given a clear and explicit possibility to opt out of the use of its email address for direct marketing purposes free of charge and in a simple manner, both when their details were collected and in each subsequent marketing communication.

If by regular mail: for the purpose of direct marketing the company may use only the following data collected from the publicly available sources or in the context of the lawful pursuit of company’s activity: personal name, address of residence and phone/fax number. For any other data the company must obtain prior consent. Opt-out option must be provided to an individual by the company when performing direct marketing.

14. Cookies and adtech

The LGPD does not specifically deal with cookies and adtech, but it is understood that the data processing for cookies and adtech requires the data subject’s consent.

Cookies and similar technologies are covered by ZEKom-1. The basic rule is that organisations must: 

  • clearly and comprehensively inform the user in advance about the data controller and the purpose of data processing in line with data protection rules;
  • get the user’s prior consent, unless the cookie is:
    • used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
    • strictly necessary for the provision of a service explicitly request by the user.

Duration of cookies should also be specified. 

Cookies consent under ZEKom-1 means consent to the same standard as is required under the EU GDPR.

These rules will apply to adtech and online marketing that is cookies-based (whether or not personal data is used). Where personal data is processed, the requirements of the EU GDPR will also need to be complied with.

The Information Commissioner has published FAQs on the use of cookies and similar technologies.

15. Risk scale

Moderate

Severe.

Cybersecurity

1. Local cybersecurity laws and scope

There are no dedicated laws related specifically to cybersecurity in Brazil. However:

  • The Consumer Code and the Internet Act provide for certain principles and rules; 
  • The Criminal Code (Decree Law 2,848/1940) establishes the crime of “invasion” of a computing device;
  • LGPD extends to any category of personal data (both offline and online).

The key cybersecurity laws that apply in Slovenia are: 

2. Anticipated changes to local laws

Despite the lack of cybersecurity-specific law or regulator, an “E-Ciber” strategy was introduced in 2020: 

  • It aims to make Brazil into a “country of excellence” in the sector;
  • It has set out ten strategic ways to strengthen the cybersecurity arena, including: centralisation of the national cybersecurity system; an increase in international cooperation; an improvement in cyber governance in both the public and private sectors; and enhanced protection of critical infrastructure;
  • It also envisages the creation of a new cybersecurity law (yet to materialise).

There is a proposal before the European Commission to update the NISD. Once the proposal is agreed and then adopted, the EU Member States will have 18 months to transpose the updated Directive into their domestic legislation.

3. Application 

Not applicable.

ZInfV 
  • The NISD was implemented in Slovenia by the ZInfV. ZInfV applies to operators of essential services (OES), digital service providers (DSP), and certain state administration bodies. 
  • OES are organisations that meet certain threshold requirements and operate within the following sectors: energy, digital infrastructure, drinking water supply and distribution, health sector, transport, banking, financial markets infrastructure, food supply, environmental protection). 
  • DSP are legal entities or natural persons that provide digital services. Digital services are online marketplace, search engine and cloud computing services. 
  • ZInfV regulates, inter alia, the security of networks and information systems and measurements for achieving a high level of security of network and information systems, minimum safety requirements and requirements for reporting of incidents and operating of authorities for information security and security incidents. 
ZEKom-1
  • The ePrivacy Directive was implemented in Slovenia by ZEkom-1, and has been amended several times;
  • ZEKom-1 regulates, inter alia, electronic communications networks and services, construction of electronic communications networks, security of networks and services and their operation in emergency situations, protection of the privacy of communications right, etc. 
ZEPT 
  • regulates electronic commerce and defines the liability of service providers and hosts for the information transmitted/stored.
ZEPEP

ZEPEP regulates, inter alia, electronic business, including business in an e-form by using information and communications technology and use of electronic signatures in transactions.

4. Authority

Brazil does not have a cybersecurity-specific regulator. The regulatory authority for cybercrime is the Ministry of Justice and Public Security.

5. Key obligations 

Not applicable.

ZEKom-1:
  • Operators must establish a security plan to manage risk around the security of networks and services and to prevent and minimise the impact of security incidents.
  • Operators must notify the Agency for Communication Networks and Services of the Republic of Slovenia of breaches of security or integrity of networks.
ZEPEP:
  • Safety requirements must be considered in internal rules.
  • Use of reliable systems and equipment, ensuring technical and cryptographic security of procedures.   
ZInfV:
  • Requirement to appoint a contact person for information security and its deputy.
  • Risk management on security of network and information system should be performed.
  • Establishment and maintenance of management system regarding security of information.
  • Reporting of incidents.

6. Sanctions & non-compliance 

Administrative sanctions:

Under the LGPD:

  • warning; 
  • fine of up to 2% of the entity, group or conglomerate in Brazilian revenue in its last fiscal year limited to BRL 50m for infraction;
  • daily fine;
  • publication of infraction;
  • blockage of personal data that relates to infraction for regularisation; 
  • erasure of personal data that refers to infraction.
Criminal sanctions:

A breach of an IT device could be subject to a fine and imprisonment (from three months to two years).

Others: 

Under the LGPD:

Individual claims for damages and losses caused for violation of personal data. Claims from the Consumer Protection Units and Public Prosecutor for damages and losses caused for violating the data subject's personal data. 

Administrative sanctions:
  • ZInfV: fine up to EUR 50,000
  • ZEKom-1: fine up to EUR 400,000
  • ZEPT: fine up to EUR 50,000
  • ZEPEP: fine up to EUR 20,000  

It is possible to be fined under both the above regulations and the GDPR/ZVOP-1 for the same incident, provided there are distinct bases for doing so (ie there is a breach of data protection law and a separate breach of the information security regulations).

Criminal sanctions:
  • imprisonment up to 15 years
Others: 
  • Compensation claims in case of damages. 
  • See “Data Protection” section above.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

CERT.br is the Brazilian National Computer Emergency Response Team.

A list of CSIRTs can be found here: www.cert.br

SI-CERT (Slovenian Computer Emergency Response Team) provides a role of the national CSIRT. SI-CERT is a service of ARNES (Academic and Research Network of Slovenia).

SI-CERT provides the following activities:

  • coordination of resolving of cyber incidents;
  • technical advice on attacks, viruses and other misuse;
  • issuing of alerts for network managers and general public on current threads in electronic networks. 

SIGOV-CERT (a body within the Ministry of Public Administration) is a response centre for information security incidents in information systems of the state administration.

8. National cybersecurity incident management structure

N/A

Cybersecurity incidents may be reported to SI-CERT. Cybersecurity incidents within the information systems of the state administration may be reported to SIGOV-CERT.

9. Other cybersecurity initiatives 

Cybersecurity law as envisaged by E-Ciber, but this has yet to materialise.

SI-CERT has been implementing awareness-raising and educational program on internet safety “Safe on the internet”: https://www.varninainternetu.si/ (web-page only in Slovenian).

SAFE:SI is a national internet point for raising awareness for children and teenagers on the safe use of internet and mobile devices (https://safe.si/english).

Portrait of Carolina Vaissman Uribe
Carolina Vaissman Uribe
Senior Associate
Rio de Janeiro
Portrait of Amela Žrt
Amela Žrt
Attorney-at-law
Ljubljana
Portrait of Irena Šik Bukovnik
Irena Šik Bukovnik
Attorney-at-Law for banking & finance
Ljubljana