You are here

Brazil

Country:
Survey Answer:

Law and/or Administrative Measures
Obligations
Decree n. 8.771/2016 – Decree Brazilian Civil Rights Framework for the Internet
• Article 13. Connection and application providers shall, in the custody, storage and processing of personal data and private communications, observe the following safety standards guidelines:
• I - the establishment of strict control over access to data by defining the responsibilities of those who will have access possibilities and privileges of exclusive access for certain users;
• II - the provision of authentication mechanisms for access to records, using, for example, dual authentication systems to ensure the individualization of the person responsible for the processing of records;
• III - creation of a detailed inventory of access to connection and access records for applications, containing the moment, duration, identity of the employee or the person designated by the company and the file accessed, including for compliance with the provisions of art. . 11, paragraph 3, of Law No. 12,965, of 2014; and
• IV - the use of records management solutions through techniques that guarantee the inviolability of data, such as encryption or equivalent protection measures.
• Paragraph 1 - The CGIbr shall promote studies and recommend technical and operational procedures, standards and standards for the provisions of this article, according to the specifics and size of the connection and application providers.
• Paragraph 2 - In view of the provisions of items VII to X of the caput of art. 7 of Law No. 12,965, of 2014, connection providers and applications shall retain the least possible amount of personal data, private communications and access and connection records for applications, which shall be excluded:
• I - as soon as the purpose of its use is reached; or
• II - if the period determined by legal obligation is closed.
Law n. 13.709/2018 (Data Protection General Law)
• The national authority may decide on minimum technical standards to make the provisions of this Law applicable, taking into account the nature of the information handled, the specific characteristics of the processing and the current state of the technology, especially in the case of sensitive personal data, as well as the principles provided for in the caput of art. 6 of this Law.

Provided By:
Ana Carolina Cesar, Daniel Legal & IP Strategy