Law nº 13.853/2019 is sanctioned by the President of the Republic
On June 8th, the Provisory Measure 869/18, also known as Bill no. 07/2019, which amends the General Law for the Protection of Personal Data - GLPD, was sanctioned and transformed into Law no. 13.853/2019 in the form of the Conversion Bill no. 07/2019 by the President of the Republic, Jair Bolsonaro. With the presidential sanction, the dispositions regarding the creation of the National Authority for the Protection of Personal Data – NAPD, will come into effect on December 28th, 2019, and the remaining modifications to the GLPD will come into effect on August 14th, 2019. The presidential veto is still susceptible of analysis by the National Congress.
See below some of the main modifications made to the GLPD:
Health insurance plan operators
The processing of personal data by operators of private health insurance plans in order to select the risks related to the contract in any modality becomes prohibited, as well as during contracting and excluding beneficiaries. The text reflects the determinations of the Normative Precedent no. 27/2015 of the National Agency of Health that prevents discriminatory restrictions when contracting a private health insurance plan.
Decisions made based on the automatized processing of personal data
The decisions made based on the automated processing of personal data by algorithmsproviders of health insurance plans is prohibited for practices of risk assessment in any modality of contract, as well as for the purposes of contracting and excluding beneficiaries shall be reviewable at the request of the data subject. The review of decisions shall also be made by algorithms, since the proceeding of review has been object of veto in the part which established its performance by a private individual.
Negotiation of indemnifications
Incidents of individual data leaks or unauthorized access can be the object of a direct conciliation between the controller and the data subjects. If there is no agreement between the parties, the controller shall then be subject to the penalties enforced by the NAPD.
Data Protection Officer
The Data Protection Officer shall be a legal entity or a private individual pointed by the controller of data. The Law has suffered vetoes regarding the requirement ofdetain legal and regulatory knowledge by the DPO and its ability to provide , and shall be apt to render specialized services on data protection, as well as concerning the jurisdiction of the. The NAPD will thenin regulate regulating the specific cases in which the DPO’s operation is required,processor shall appoint a Data Protection Officer, as well as the possibility of appointing a sole DPO for companies in the same economic group and the guidelines for guaranteeing the DPO’s technical and professional autonomy. Therefore, NAPD remains responsible to define the complementary norms and assignments of the DPO in adequacy to the Law.
Data sharing by public entities
Under justification that sharing of data is essential to the regular exercise of several activities and public policies, the subparagraph that established the prohibition of data sharing in several levels of public administration and with private companies has been vetoed.The communication or shared use of data maintained by the State with private companies depends on the data subject’s consent, save for the exceptions provided by the GLPD. The PM has also brought the provision of protection and preservation of personal data of citizens who request access to information, prohibiting the sharing of data in the public administration and with companies.
Legal nature of the NAPD
The NAPD has maintained its legal nature as part of the federal public administration, as was provided in the original text of the GLPD before the presidential vetoes. However, the legal nature of the NAPD has a temporary character, and it may be transformed into an entity of the indirect federal public administration with a special regime in up to 2 years from the date the structure of the LGPD comes into force.
Attributions of the NAPD
The NAPD has a list of attributions established by the MP, such as the preparation of guidelines for the Nacional Policy for the Protection of Personal Data and Privacy, the inspection and application of penalties in cases of noncompliance with the law and the auditing and determination of audits regarding the processing of personal data by controllers and processors, as well as the edition of regulations and procedures on the protection of personal data, privacy and impact reports.
Personal data of elders
The processing of personal data from elderly people shall be effected in a clear, simple and accessible manner, in compliance with the Statute of the Elderly.
The NAPD shall edit simplified and differentiated rules, guides and procedures, including dispositions regarding deadlines, to guarantee the adaptation of micro companies, small companies, startups and innovation companies.
Finally, the possibility of application of the following penalties by the NAPD has also suffered vetoes: i. partial suspension of the functioning of the database; ii. suspension of the activity of data processing, and; iii partial or total prohibition of exercising the activities related to data processing.
SAEKI ADVOGADOS remains available to provide guidance in the necessary measures for complying with the dispositions of the GDPL and to clarify any questions that may arise.