EN language
  • PT
  • ES
Placeholder

LGPD: how did it appear and what are the rules of the General Data Protection Law

Right now, millions of people are online and sharing their personal information in various digital environments. Whether to buy, study, work, publish photos and videos, play games, listen to music, or pay bills, it is necessary to share personal data such as e-mail, number of documents or credit cards.

But, after all, what happens with this and how to ensure that this material is safe? This is exactly what is regulated by Law 13,709, the General Data Protection Law (LGPD).

How did the LGPD appear and what are its objectives?

The General Data Protection Law was signed in August 2018, by former president Michel Temer, and came into force on September 18, 2020. It emerged as a response to the need to regulate the processing of personal information in Brazil, bringing the country in line with international standards for the protection of privacy.

The LGPD was inspired by the European Union's General Data Protection Regulation (GDPR) and establishes clear rules on how companies and government entities must collect, store, use, and share citizen data.

As of this sanction, the use of any personal information, from the most basic, such as name and e-mail, to health data, must fall under the new law - and fines for non-compliance can reach R$ 50 million.

Transparency and monitoring of the LGPD

When filling out a form or providing personal data in any other way, it is essential that the data subject is informed of the reason for the processing and what will be done with this information. To this end, controllers, those who receive this data, must make a privacy notice available to data subjects – which is the transparency tool in data processing.

In this sense, the LGPD provides certain guarantees to citizens, such as: being able to request that their personal data be deleted; revoke consent; transfer data to another service provider, among other actions.

To monitor and apply penalties in cases of non-compliance with the General Data Protection Law in Brazil, the responsible body is the National Authority for the Protection of Personal Data (ANPD).

What are the rules of the General Data Protection Act?

Purpose: Personal data must be collected and used only for specific, legitimate and explicit purposes, informed to the owner at the time of collection.

Adequacy: Data processing must be compatible with the purposes for which they were collected and cannot be used excessively or inappropriately.

Necessity: Only data that is strictly necessary for the fulfillment of the specific purpose must be collected and processed.

Free Access: The owners have the right to access the information they have about them, and can obtain information about the processing and purpose of the data.

Data Quality: Personal data must be accurate, clear, and up-to-date to ensure that it is correct and complete.

Security: Security measures must be implemented to protect personal data against unauthorized access, leaks, and other forms of inappropriate treatment.

Prevention: Preventive practices and measures must be adopted to avoid the occurrence of damages and risks to the data subject.

Non-Discrimination: Personal data cannot be used for discriminatory, illegal, or abusive practices.

Accountability and Accountability: Companies must demonstrate that they comply with the LGPD by implementing policies and practices that guarantee data protection.

Transparency: Information about data processing must be clear and accessible to data subjects, who must be informed about how and for what their data is being used.

We are the most transparent company in Brazil

Editable text

Impacts of the LGPD on society and companies

The General Data Protection Law goes beyond a set of regulations. It signals a significant change in the way society deals with privacy and security in the digital age.

Its impacts are not limited to legal obligations, but also affect people's interaction with technology and with the processing of personal data. However, for this, citizens must be aware of the rules provided by the companies that process their data, and must be aware of their rights and how to exercise them.

At any time during the relationship with the institution, it is possible to request information about what data is being collected and how it is being used.

Companies, on the other hand, must implement an internal compliance structure and policy to properly treat their clients' data. This is true for both public and private sector entities.

To ensure that the process takes place properly, the LGPD defines three important roles in organizations:

Controller: It is the person or entity that makes decisions about the processing of data. Generally, it is the company itself with which the owner has a business relationship.
Operator: It may be a company or person hired by the controller to carry out the processing of personal data on your behalf.
Responsible: Known as a DPO (Data Protection Officer), he is the professional responsible for communicating between the controller and the regulatory agency. It is the point of contact for data subjects.

To ensure compliance with the LGPD, it is recommended that companies create a committee to develop internal policies, define goals, and draw up data protection management plans. This includes emergency plans to manage crises involving security and privacy. In cases of information leak, both the customer and the regulatory agency must be notified quickly and efficiently.

Additionally, employees of the parent organization need to be aware of the procedures related to the LGPD. Therefore, it is essential that they are trained on the new legislation and on how data will be processed within the company.

LGPD at Neoenergia

Neoenergia recognizes the importance of the LGPD to ensure that Brazil continues to participate in the international trade of services.

The implementation of the law marks a significant advance in the maturity of organizations and data subjects regarding the protection of personal data, both by clearly establishing duties and rights and by increasing the maturity of personal data protection and cybersecurity processes.

To comply with the law, Neoenergia followed a plan divided into three phases: mapping and definition of action plans; implementation of defined plans and adjustments to the data processing catalog; and improvement of the governance model.

The first stage included the creation of the Register of Data Processing Actions, a comprehensive catalog that documents all data processing carried out by the company, including the legal basis and other pertinent information.

After the mapping, Neoenergia published privacy notices on its websites, established channels so that the owners can exercise their rights, and initiated a training process to foster a culture of personal data protection among its employees, in addition to adjusting its internal processes.

Currently, data subjects (customers, visitors, etc.) whose data is processed by the Neoenergia Group can access the Privacy Policy/Notices page on the company's websites. The organizational structure to handle personal data security has already been established, starting with the DPO (Data Protection Officer) and extending to 84 Data Protection Officers, in addition to 52 Data Protection Officers, in the various areas of the company. In addition, the Cybersecurity, Personal Data Protection and Incident Handling regulations have been reviewed and updated to ensure greater compliance with the LGPD.

The company continues to improve its governance and personal data protection model on an ongoing basis, including adjustments to the Incident Handling Framework, which defines internal rules for dealing with data leaks and other cybersecurity incidents.

News