Licks Attorneys' Government Affairs & International Relations Blog

Doing Business in Brazil: Political and economic landscape

Licks Attorneys' COMPLIANCE Blog


No items found.

One of the biggest challenges for a company's adequacy projects to personal data protection's legislation is matching the processing of certain personal data in any legal basis available in the law; depending on the country and, consequently, on its local law, there is not even the possibility of choosing a legal basis for matching, as occurs, for example, in the USA. However, this difficulty affects both Brazil and most European countries.

As the Brazilian Data Protection Act (LGPD) has been in force for only 1 year and its penalties have come into effect just over 30 days ago, the greatest examples of this difficulty in matching turn out to come from the old world. It is impressive the amount of penalties that are imposed by national data protection authorities, in the respective European countries, to companies that, according to such authorities, inadequately match the processing of such personal data and, therefore, are penalized for violating the law.

Thus, the National Data Protection Authority in the United Kingdom (Information Commissioner's Office - ICO) created an interactive online tool to help those seeking guidance in matching the processing of personal data in some of the legal bases provided for in the GDPR, European data protection act, to which the United Kingdom was a signatory before its separation from the European Union.

In order to use this service free of charge, the user must access the website

Upon entering, the user already finds a preset questionnaire with the following questions, as set below:

Page 1 - Agreement Do you have or intend to enter into an agreement with the individual? a) Yes, b) No, c) I do not know 
Page 2 - Legal Obligation Are you processing this personal data to comply with any law? a) Yes, b) No, c) I do not know, d) Somehow 
Page 3 - Vital Interests Are you processing this personal data to save or protect someone's life? a) Yes, b) No, c) I do not know, d) Somehow 
Page 4 - Public Activity Are you processing this personal data to carry out your public activity or function or other specific activities of public interest? a) Yes, b) No, c) I do not know, d) Somehow 
Page 5 - Consent Do you want to give individuals the power to decide whether or not you can process their data? a) Yes, b) No, c) I do not know, d) Somehow 
Page 6 - Legitimate Interest Are you satisfied with taking full responsibility for processing personal data? a) Yes, b) No, c) I do not know, d) Somehow 

After submitting the results, according to the answer, a justification is presented for which legal basis or bases the user should carry out the matching of the processing of personal data; if the user has answered that he does not know or somehow, the authority instructs him to identify what would be needed to validate your choice of framing.

In this way, ICO makes the user navigate through the 6 legal bases provided for in the GDPR for matching the processing of personal data. It is a simple but very useful initiative, considering that, just as there are large corporations with many resources to seek adequate advice that can show the way, there are many companies that do not have adequate resources and have great difficulty in trying to understand and apply the law. ICO really deserves congratulations for the initiative.

Something similar could be done in Brazil, keeping the proportions as to the differences foreseen between the legislations, since here we have 10 legal bases for matching the processing of common personal data, 8 legal bases for matching the processing of sensitive personal data and also a differentiated matching for the processing of personal data of children and adolescents -- in this case, there is still controversy regarding the understanding over the applicability if only for children or if also for adolescents, since the lawmaker was unfortunate in its corresponding wording.

No items found.