FINAL AND TRANSITIONAL PROVISIONS: Article 65
This Law comes into force after eighteen (18) months as from its official publication...
This Law comes into force after eighteen (18) months as from its official publication...
The rights and principles expressed in this Law do not exclude any other rights and principles established in the Brazilian legal system concerning the matter or...
The supervisory authority shall establish rules for progressive adequacy of databases created by the date of effectiveness of this Law, considering the complexity of the processing operations and the data nature...
The supervisory authority and Instituto Nacional de Estudos e Pesquisas Educacionais Anísio Teixeira (INEP), as part of its duties...
The foreign company shall be notified of and summoned in relation to all procedural acts established in this Law, regardless of power of attorney or contractual or statutory provision...
Law No. 12.965 of April 23, 2014 (Brazilian Civil Rights Framework for the Internet) shall be hereinafter in effect with the following amendments...
The amount of the penalty of daily fine applicable to infractions of this Law shall take into account the severity of the fault and the extension of the damage...
The supervisory authority shall define, by means of proper regulations on administrative penalties for infractions to this Law...
The supervisory authority shall encourage the adoption of technical standards for easier control by the data subjects of their personal data...
The data processing agents, in connection with any infractions of the rules established in this Law, shall be subject to the following administrative penalties applicable by the supervisory authority...
The controllers and processors, within the scope of their authority for personal data processing, individually or by means of associations..
The systems used for personal data processing shall be structured in such a manner as to meet the security requirements3..
The controller shall notify the supervisory authority and the data subject of the occurrence of any security incident that may result in any relevant risk or damage to the data subjects...
The processing agents or any other person that interferes with any of the processing phases shall be required to ensure the information security provided...
The processing agents shall adopt security, technical and administrative measures that are capable of protecting the personal data from unauthorized accesses...
The events of violation of the data subjects’ right within the scope of the consumption relationships remain subject to the liability rules established in the applicable law...
The personal data processing shall be irregular if it fails to comply with the law or fails to provide the security that the data subject may expect therefrom, considering the relevant circumstances, including...
The processing agents shall not be held liable only if they demonstrate...
Any controller or processor that, in connection with the performance of the activity of personal data processing...
The controller shall indicate a data protection officer...
The supervisory authority may establish interoperability standards for purposes of portability, free access to data and security, and on the retention time of the registrations, especially in view of the need and transparency...
The processor shall carry out the processing in accordance with the instructions supplied by the controller, which shall determine the compliance with its own instructions and the rules on the matter...
The supervisory authority may require the controller to prepare a data protection impact assessment, including sensitive data, relating to its data processing operations...
The controller and the processor shall keep in record the personal data processing operations carried out by them, especially where they are based on a legitimate interest...
Any changes in the guarantees presented as being sufficient guarantees of compliance with the general principles of protection and with the data subjects’ rights...
The definition of the content of standard contractual sections, and the verification of specific contractual sections for a given transfer...
The level of data protection of the foreign country or international organization mentioned in item I of the main provision of article 33 of this Law shall be assessed by the supervisory authority...
The international transfer of personal data is permitted solely in the following cases...
The supervisory authority may request to Government agents the publication of personal data protection impact assessment...
In the event of breach of this Law as a result of the processing of personal data by public bodies, the supervisory authority may send a communication with applicable measures to cease the violation...
The supervisory authority may establish supplementary rules for the communication activities and shared use of personal data...
The supervisory authority may request, at any time, to the Government entities, the conduction of personal data processing operations..
The communication or the shared use of personal data of legal entities governed by public law to legal entities...
The shared use of personal data by the Government shall meet specific purposes of execution of public policies and legal attribution by the public bodies and entities...
The data shall be kept in an interoperable and structured manner for the shared use...
The state-owned companies and the government-controlled private companies that act by means of competitive bid...
The processing of personal data by the legal entities governed by public law mentioned in the sole paragraph of article 1 of Law No. 12.527...
The defense of the interests and rights of the data subject may be exercised in court, individually or collectively, in the form of the provisions of the applicable law, about the instruments of individual and collective protection...
The personal data relating to the regular exercise of rights by the data subjects cannot be used against them...
The data subjects are entitled to request a review, by a natural person, of decisions made only based on the automatized processing of personal data that affects their interests...
Confirmation of the existence of or access to personal data shall be provided, at the request of the data subjects:...
The data subjects are entitled to obtain from the controller, in relation to the data of the data subjects processed by such controller, at any time and upon request...
All natural people are ensured the ownership of their personal data and the guarantee of the fundamental rights to freedom, intimacy and privacy, pursuant to the provisions of this Law...
The personal data shall be eliminated after termination of the processing thereof, within the scope and technical limits of the activities, and conservation thereof shall be authorized for the following purposes...
Termination of the processing of personal data shall occur in the following events...
The processing of personal data of children and adolescents shall be carried out to their best interest, pursuant to the provisions of this article and of the applicable law...
In the conduction of studies on public health, the research bodies may have access to personal databases...
Anonymized data shall not be deemed personal data for purposes of this Law, except when the anonymization process to...
Sensitive personal data can only be processed in the following events...
The legitimate interest of the controller may only be a reason for the processing of personal data for legitimate purposes, considered based on specific situations, which include, without limitation...
The data subjects are entitled to facilitated access to the information on the processing of their data...
The consent set forth in item I of article 7 of this Law must be provided in writing or by other means that proves the manifestation of will of the data subject...
The personal data can only be processed in the following events...
The personal data processing activities shall observe the good faith and the following principles...
For purposes of this Law, the following definitions apply...
This Law shall not apply to the processing of personal data:...
This Law applies to any processing operation carried out by a natural person or legal entity governed by public or private law...
The grounds of the regulation on personal data protection are the following...
This Law provides on the processing of personal data, including by digital means...