Provides for data protection
personal privacy and provides other
THE NATIONAL CONGRESS decrees:
THE PROTECTION OF PERSONAL DATA
This article first law aims to guarantee and protect, within the treatment
personal data, the dignity and fundamental human rights, particularly in
relation to their freedom, equality and personal and family privacy,
pursuant to art.
5, items X and XII of the Constitution.
2nd Art Everyone has the right to protect their personal data.
Article 3 This Act applies to processing of personal data held in
national territory by individuals or legal entities of public or
private law, even
that the database is located abroad.
§ 1 The present law does not apply:
I - the processing of personal data held by an individual for
purely personal and domestic, since the data are not treated
intended for communication;
II - to the databases used for the practice of journalism and
exclusively for such purpose.
§ 2 The databases established and maintained for the sole purpose of safety
public defense, State security and activities of investigation and
offenses shall be governed by specific legislation.
Article 4 For the purposes of this Act, it is understood as:
I - Personal Data: any information relating to an identified or
identifiable, directly or indirectly, including any address or number
identification of a terminal used for connection to a computer network;
II - treatment: any operation or set of operations carried out with or without
help of automated means, which enables the collection, storage, management,
maintenance, modification, comparison, evaluation, organization,
use, blocking and deletion of personal data, as well as its supply
third parties by means of transfer, communication or interconnection;
III - database: any structured set of personal data, located in a
or several locations, electronically or otherwise;
IV - sensitive data: personal data whose processing can give rise to
holder, such as those revealing racial or ethnic origin, political beliefs
religious, philosophical or moral, political opinions, union
membership, party or
organizations of a religious, philosophical or political, those
relating to health and
sexual life, as well as genetic and biometric data;
V - holder: the person who referred the personal data object
treatment under this law;
VI - responsible: The person or entity, public or private, who
compete decisions relating to the purposes and methods of data processing
VII - subcontractor: the company hired by the data bank
data as responsible for the processing of personal data;
VIII - Communication: The act of disclosing personal data to one or
more subject specific
many of its holder, in any form;
IX - diffusion: the act of disclosing personal data to one or more
many of its holder, in any form;
X - Interconnect: transfer data from one database to another, or maintained
not by the same owner, with similar or different purpose;
XI - block: conservation of personal data or database with the suspension
temporary operation of any treatment;
XII - Cancellation: removal or destruction of data or data set
stored in the database, whatever the procedure used;
XIII - dissociation: an act to amend the personal data so that it can not be
associated, directly or indirectly, with an identified or identifiable
XIV - anonymous data: data relating to a holder that can not be identified,
or by the controller or by any other person, taking into account
the set of means likely reasonably to be used by responsible
the data controller or any other person to identify such
Article 5 The processing of personal data by corporations law
public is allowed to carry out its institutional functions within the
limits of the law.
Article 6 The processing of personal data is risky activity and all that, for
through the processing of personal data, causing financial damage to
individual or collective, is obliged to compensate him under the law.
Article 7 The defense of the interests and rights of data subjects can
either individually or collectively, in the manner provided for in
Articles 81 and
82 of Law 8078 of September 11, 1990, Law 7347 of July 24, 1985 and
the other instruments of collective protection established in law
GENERAL PRINCIPLES OF DATA PROTECTION
Article 8 The controllers of personal data must meet, among
others, the following general principles of protection of personal data:
I - Principle of purpose: not to use the personal data object treatment
for different purposes or incompatible with those who based their
collection and have been informed that the proprietor, as well as the
limitation of this
treatment for specified, explicit and legitimate charge;
II - The principle of necessity: that the use of personal data to a minimum
necessary to exclude your treatment when the aim is that
seeks to achieve can also be performed with the use of anonymized data or
with the use of means of identification of the person concerned only if
III - The principle of free access: the possibility of free
consultation by the owner, his
personal data, as well as its treatment modalities;
IV - Principle of proportionality: the processing of personal data only in cases
where there is relevance and pertinence to the purpose for which they were
V - The principle of data quality: the accuracy of personal data object
treatment, with updating done at the periodicity required for
fulfillment of the purpose of their treatment;
VI - transparency: the information to the holder on the completion of
processing of personal data, stating the purpose, categories of
data processed, shelf-life of these and other relevant information;
VII - Principle of physical and logical security: The use by the controller
data, technical and administrative measures commensurate with the
current state of
technology, the nature of the data and the specific characteristics of
constantly updated and able to protect personal data under their
responsibility of the destruction, loss, alteration or dissemination,
accidental or unlawful, or
VIII - The principle of objective good faith, loyalty and respect to
the objective good faith in
processing of personal data, and
IX - Principle of responsibility: to repair, under the law, damage
holders of personal data, whether or moral, individual or
X - Principle of precaution: the duty of responsible, in addition to
specific to this Act, adopt, where possible, measures to prevent
occurrence of damage by the processing of personal data.
REQUIREMENTS FOR THE PROCESSING OF PERSONAL DATA
Article 9 The processing of personal data can only occur after the consent
free, express and informed the owner that may be given in writing or by other
means sure that, after notice to the holder of the information contained
in art. 11.
§ In the first service performed over time, the consent must be renewed
periodically under the Regulation.
§ 2 The processing of personal data from children will only be possible with the
consent of legal guardians and in their best interest, being forbidden
use these data for commercial purposes.
Article 10. Consent may be revoked at any time.
Article 11. When collecting personal data, the holder is informed in a
clear and explicit about:
I - the purpose for which personal data are being collected and that
form will be treated;
II - the identity and address of the controller;
III - compulsory or voluntary nature of data provision;
IV - the consequences of any refusal to supply them;
V - the subjects for which data can be communicated and its scope of
VI - your rights, particularly the possibility of refusing to provide data
personal and on their right to free access and rectification.
Sole Paragraph. It is considered null and void if such consent given
content or misleading information has not been given clearly
Article 12. The consent, if given together with other statements, must
appear explicitly and apart.
Article 13. The consent will be waived when treatment:
I - is necessary for the enforcement of obligations under a contract which is
part of the holder to carry out pre-contract procedures required by this,
or to fulfill a legal obligation on the part of the charge;
II - refer to data from records, deeds or documents of public
unrestricted public access;
III - is necessary for the exercise of proper functions of state powers;
IV - is done for the sole purpose of historical research, scientific or
V - is necessary for the protection of life or physical safety of the owner or
a third, where the owner can not provide your own consent
physical incapacity or inability to understand;
VI - it is necessary to exercise the right of defense or to assert a right
in court, provided the data to be processed solely for
this purpose and strictly by the time required for its implementation;
VII - concerns about the data breach of obligations by the
holder, in which case the holder should be notified in writing in accordance
Art. 43 of Law 8078/90 - Code of Consumer Protection.
Article 14. Personal data that are object of treatment should be:
I - treated lawfully and in good faith;
II - collected and stored for specified, explicit and legitimate purposes;
III - accurate, clear, objective, current and easily understood;
IV - relevant, complete, proportional and not excessive in relation to
which justified their collection or further processing;
V - kept in a form which permits identification of its owner for a period of
not exceeding the time required for the purposes that justify their
further processing, and
VI - retained for a period not exceeding that established by law or regulation
specific to each sector.
§ It is forbidden to first processing of personal data obtained
through mistake, fraud, coercion
§ 2 The personal data obtained or processed in a manner contrary to this law and
discipline related to the protection of data can not be used and should be
RIGHTS OF HOLDER
The data subject may obtain from the controller the
confirmation of the existence of personal data concerning him and the
access to the data itself, both directly and through the action of habeas data,
under the law.
§ 1 The required information will be provided immediately, so
simplified or within 5 (five) days, through a clear and complete statement,
including information about its origin and on the rationale, criteria
used and the purpose of their treatment.
§ The second provision of this information does not matter in charge
to the holder of
§ 3 The information for choosing the holder may be provided in writing or
electronically, safe and suitable for this purpose.
§ 4 The information must be broad and relate to the entire existing record,
even when the application only understand one aspect of personal data
§ 5 The personal data will be stored to allow the exercise of
Article 16. Upon request of the data subject, the officer shall, without charge,
within 5 (five) days:
I - correct the personal data that are incomplete, inaccurate or outdated;
II - cancel, dissociate or block personal data that are unnecessary,
excessive or treated in conformity with this law.
Sole Paragraph. The officer is obliged, within 5 (five) days to communicate to
recipients of the information to carry out correction, cancellation,
block of data.
Article 17. The data subject may object, in whole or in part, the treatment of
your personal data:
I - whenever you have legitimate reasons, except in cases where treatment is
necessary for the fulfillment of an obligation imposed by law on the person
II - when their data are used for advertising purposes, even though they were
submitted to a process of dissociation.
Article 18. In cases of violation of this law, the holder may request their
rights under the Guarantee Authority in the regulations.
Article 19. The data subject has the right not to be subjected to
affect, significantly, the sole basis of a treatment
automated personal data designed to define the profile or personality
§ 1 Any such decision may be contested by the proprietor, who has
right to obtain information from the controller on the criteria
this assessment and the procedure in which it is based.
§ 2 It is assumed this kind of decision in cases that have been
expressly requested by the holder and provided that guaranteed due process and
TREATMENT OF SENSITIVE DATA
Article 20. No person shall be compelled to provide sensitive data.
Article 21. It prohibited the formation of databases containing information that
directly or indirectly, disclose sensitive data, unless express
respecting the personal rights of the holder, in particular the guarantee of no
§ 1 The processing of sensitive data is permitted when:
I - the owner has given his consent, written informed whenever
this treatment is essential for the legitimate exercise of statutory duties or
II - is carried out by associations and other nonprofit entities in nature
political, philosophical, religious or trade union to conduct lawful
comprising the personal data of its subscribers, where the data are not
communicated or disseminated to third when the entity in question to determine
appropriate measures of ensuring the rights of the holder to the
III - is necessary for the protection of life or physical safety of the owner or
a third, where the owner can not provide your own consent
physical incapacity or inability to understand, or
IV - is done for the sole purpose of historical research, scientific or
V - is clearly on the data made public by the licensee.
VI - is conducted by health professionals or health and
deemed indispensable for protecting the health of the person concerned.
VII - is necessary for the exercise of the powers of eigenfunctions of State
provided by law.
§ 2 In any event, be deemed to be illegal treatment of sensitive data that
is used for discriminatory purposes.
Article 22. The Authority may specify measures to guarantee security
the holder of sensitive data that should be taken by responsible
Article 23. The processing of personal data will be done to minimize,
through the adoption of appropriate measures of preventive security,
the risk of their
destruction or loss, unauthorized access or treatment not allowed by
holder or several of the aims of their collection, whatever the reason.
Sole Paragraph. The measures referred to in the caption should be
proportional to the current
state of technology, the nature of the data and the specific characteristics of
treatment, particularly in the case of sensitive data.
Article 24. A set of minimum security measures will be published preventive
Guarantee by the Authority within a maximum of one year after the
entry into force
of this law, and updated periodically based on evolving technology and
Article 25. The subcontractor must have experience, capability and
reliability to ensure
respect to existing provisions regarding the processing of personal data, and
to respond jointly liable for damage caused by its
activity to the data.
Sole Paragraph. The subcontractor will perform the treatment as instructed
provided in writing by the official, who, through regular inspections, check
own compliance with the instructions and rules on the matter.
26 The charge, the subcontractor or any other person involved in
any stage of processing of personal data is bound to secrecy in
relation to them, this duty that remains after the respective
treatment or employment exists.
Article 27. The controller shall report to the Authority and Warranty
to the data immediately on the unauthorized access, loss or diffusion
accidental, either total or partial, of personal data where such access, loss or
diffusion entail risks to privacy of their holders.
Sole Paragraph. In the cases mentioned in the caption, the Authority
take the action he deems necessary, within its competence,
including determining the person responsible for the broad
dissemination of fact in media
COMMUNICATION AND INTERCONNECTION OF PERSONAL DATA
Article 28. The communication or the linking of personal data will
only be allowed
with the consent of the owner and express and to fulfill the purposes
directly related to the legitimate functions of the transferor and transferee.
§ The first consent to the communication or interconnection is revocable at any
§ 2 The consent will be waived when:
I - the data is derived from records, deeds or documents accessible to public
any person, taking into account the limits for access and
publication of these data;
II - for the fulfillment of an obligation imposed by law;
III - when it is necessary to protect the life or physical safety of the holder
or a third party, where the owner can not provide your own
consent to physical impossibility or incapacity of understanding.
Article 29. The transferee will be subject to the same legal and
regulatory obligations of
transferor, including as joint and several liability for any damage
caused and the duty to receive and process challenge and make corrections.
THE END OF THE PROCESSING OF PERSONAL DATA
Article 30. Personal data will be canceled when no longer needed or
relevant to the purpose that justified their collection and treatment.
Sole Paragraph. Law or regulation may provide for periods up to
processing of personal data in sectors and situations.
Article 31. At the end of the processing of personal data, without
prejudice to the rights of
holder, and whenever the need or relevance, the data can be:
I - transferred to third parties, provided for treatment for similar purposes
those for which they were harvested with the consent of the holders;
II - kept for exclusively personal and not intended for communication or
III - retained or transferred to third, only for historical purposes,
statistical or scientific research.
PROCESSING OF PERSONAL DATA IN THE PUBLIC SECTOR
Article 32. The communication and interconnection of personal data
between a corporate
public will be allowed in cases where their skills do not they concern
distinct issues, respecting the rights established in this law.
Sole Paragraph. The communication of personal data between corporate law
public with expertise on different subjects will be admitted:
I - by express legal provision, while respecting the rights of holders of
II - when it is necessary to carry out their official responsibilities.
Article 33. Those responsible for public databases may, by decision
grounded and only the time necessary to deny the opposition and cancellation
the processing of personal data when it is necessary to:
I - the protection of public order;
II - to protect rights of third parties;
III - not to obstruct judicial or administrative action in progress, linked to
research on compliance with tax obligations, developing
control functions of health and the environment and to check violations
PROCESSING OF PERSONAL DATA IN THE PRIVATE SECTOR
Article 34. Every private entity that performs the processing of
personal data for
development of its activities and has more than two hundred employees should
appoint a director responsible for processing personal data.
§ The first director responsible for processing personal data must ensure, so
independent, the observance of the provisions of this law.
§ 2 The activities of the director responsible for processing personal data
consist, inter alia, on:
I - act as the corresponding immediate Security Authority;
II - instructing other employees regarding practices to be taken into
regarding protection of personal data, and
III - Maintaining a relationship of personal data processing performed
by the company,
immediately accessible by the owners that request their own personal data.
§ 3 The entity shall report to the Security Authority of the identity
of the director
responsible for processing personal data.
INTERNATIONAL DATA TRANSFER
Article 35. The international transfer of personal data is only allowed for
countries that provide a level of data protection comparable to the present
Act unless the following exceptions:
I - where the owner has expressed his own consent, expressed and
reported for the transfer;
II - when it is necessary for the implementation of obligations under
a contract of
which the holder is a party;
III - when it is necessary to guarantee a significant public interest provided
IV - when it is necessary for international cooperation between public agencies
intelligence and research, according to international law instruments
that Brazil was bound;
V - when it is necessary to defend a right in court, if the data
transferred solely for this purpose and the time required;
VI - when it is necessary to protect the life or physical safety of the holder
or third, if the holder can not provide their own consent
physical impossibility, incapacity to act or understand.
Article 36. The Security Authority will recognize the character of the
appropriate level of
data protection of the host country taking into account the existing
legislation in this
country and other circumstances relating to the transfer of data.
Sole Paragraph. For the purposes described in the caption, the
Authority will consider
nature of the data, the general standards and industry present in its
compliance with principles of data protection and security measures
Section 37. The Security Authority may authorize a transfer or series of
transfers to a foreign country which does not have an adequate level of
protection when the controller provides sufficient guarantees in
relation to protecting the privacy of the owners, the security
measures adopted and
possibility of exercising rights under this law.
Sole Paragraph. The transfer of personal data abroad, in which case only
may occur after the express permission of the Authority Guarantee.
WARRANTY OF AUTHORITY
Article 38. It created the National Council for the Protection of
Personal Data, with
administrative, budgetary and financial, with the assignment to act as
Security Authority about the protection of personal data, the structure and
Assignments will be established in specific legislation.
Article 39. The National Council for the Protection of Personal Data:
I - ensure compliance with this law, its rules and its bylaws;
II - to plan, develop, propose, coordinate and implement national policy actions
protection of personal data;
III - enacting and provisionses on matters within its jurisdiction;
IV - adopt its internal regulations;
V - to receive, analyze, evaluate and forward consultations, complaints or
suggestions made by holders of personal data, representative or
legal persons under public or private, relating to data protection
personal, under the Regulation;
VI - impose, in motion or at the request of a party, as appropriate,
corrective and preventive measures it deems necessary, in accordance
with this law;
VII - to create, maintain and publish, for transparency purposes, a
record of banks
personal character of categories and industries as it considers
VIII - check if the treatments meet the legal standards and principles of
IX - promote awareness among the population of rules dealing with the matter and
its purposes, as well as data security measures;
X - veto all or part of data processing or provide your block if the
treatment becomes unlawful or inappropriate in terms of regulation;
XI - to recognize the character of the appropriate level of data
protection in the country of destination
in the case of international transfer of personal data and to authorize a
transfer or series of transfers to third countries that do not count on this
XII - to determine the controller of personal data, when
necessary to carry out privacy impact assessment in the form of regulation.
XIII - undertake other activities consistent with its purposes.
Article 40. The States, the Federal District and the municipalities
may create their own
authorities for protection of personal data, with concurrent
jurisdiction and its
respective areas of administrative action.
Article 41. Without prejudice to civil and criminal penalties and
administrative rules to be defined in specific infractions of the rules
under this Law shall be subject, as appropriate, the following sanctions
I - fine;
II - block of personal data;
III - The dissociation of personal data;
IV - cancellation of personal data;
V - prohibiting the processing of sensitive data;
VI - temporary suspension of activity, and
VII - prohibition of use of the database.
§ 1 The penalties provided in this Article shall be applied by the
Security Authority, the
scope of their assignment, may be applied cumulatively, including by
precautionary measure, history or incident of administrative procedure.
§ 2 The conditions and procedures for the application of sanctions, which should
be graded because of the extent, severity of the violation, the nature of rights
Personal affected recurrence and damages arising therefrom shall be
Article 42. The fine will be stipulated:
I - if the company in less than twenty percent of the value of gross
income on your
last year, excluding taxes;
II - In the case of other persons or entities public or private well
and any entities or associations of persons formed in fact or
Right, even temporarily, with or without legal personality, not being
possible to use the criterion of value of gross income in an amount not less
R $ 2.000,00 (two thousand dollars) and not more than R $ 6,000,000.00
Sole Paragraph. In case of recidivism, the imposed fines will be applied in
twice, not applying in such a case, the maximum limit indicated in section II.
Section 43. Without prejudice to the sanctions, the Security Authority, acting
office or at the request of a party, shall impose management to incur infraction
the rules of this law, the corrective measures it deems necessary to reverse the
harmful effects that the offending conduct has caused or to prevent it from
produce again in the future, setting a daily fine for its
§ The first administrative decisions that have become res judicata
corrective to the owner of the information constitutes an
§ 2 Where corrective actions are addressed to a specific holder, this is the
standing to enforce the decision.
Article 44. At any stage of administrative procedure is provided to
Warranty adopt preventive measures, ex officio or at the request of a
party, when there
evidence or grounds for concern that the defendant directly or
indirectly, cause or
may cause irreparable injury to the community or difficult to repair under
protection of personal data, or render ineffective the outcome of the
process, setting the
daily fine for noncompliance.
CODES OF GOOD PRACTICE
Article 45. Those responsible for the processing of personal data,
either individually or
through class organizations, may formulate codes of practice that
determine the terms of organization, operating system, procedures
applicable safety standards, technical standards, specific requirements for
several involved in the treatment and use of personal data and other items and
safeguards for people with full respect for the principles and
provisions of this
law and other regulations concerning data protection.
§ The first codes of practice binding on those responsible for
data processing and the members of a particular professional class.
§ 2 The Security Authority will ask the class to their organizations
drafting of codes of good practice when it deems appropriate and may participate
in its preparation.
§ 3 Among other professions, the Authority will prioritize the Guarantee
fostering the development of codes of good practice theme:
I - surveillance and monitoring;
II - advertising and direct marketing;
III - databases of credit protection;
IV - insurance, and
V - other relevant matters.
§ 4 The codes of good practice will be deposited in the Security
may not approve them if they are inconsistent with the laws and
regulations on this subject, which follows a request to be made
the changes necessary and indicated.
§ 5 The codes of good practice will be made publicly available and should be
updated whenever it proves necessary.
FINAL AND TRANSITIONAL PROVISIONS
Article 46. The privileges of this law does not exclude others,
arising from treaties or
international conventions to which Brazil is a signatory, under domestic law
ordinary as well as regulations issued by administrative authorities
Article 47. Are hereby repealed articles 2, 3 and 4 of Law 9507 of 12 November
Article 48. This Act shall come into force within 90 days from the date of its
woensdag 15 december 2010
Brazil's 1st Data Prot. Bill
(Thanks to http://translate.google.com/ )
Geplaatst door Quirinius op 00:40