|
|
One of the obligations of any company operating in Brazil is to understand the entire flow of personal data processing activities and, from there, choose a legal basis (processing hypothesis) for each activity carried out.
The LGPD allows the processing of data in several cases, whether for data considered common (article 7) or for sensitive data (article 11), the latter being data that have a greater potential to cause harm to their holder, and were explicitly delimited by the Law, namely: personal data on racial or ethnic origin, religious belief, political opinion, membership of a union gambling data saudi arabia or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person.
We have already written about choosing legal bases and the importance of doing it correctly, and you can learn more by clicking here .
For those who say that being in compliance with the LGPD is simply about demonstrating security measures, they were surprised by an inspection of an eminently regulatory need, further evidence that our Authority will be inspired by foreign authorities, especially those in Europe.
From the analysis of the case, it is possible to see that the penalty amounts were coherent, following a logic and a pattern that is already widely used in the sanctioning processes applied by European authorities.
The ANPD went further than indicating the absence of a legal basis and stated, in the grounds for the decision of the inspection process, that: “ Art. 7 of the LGPD is the backbone of the LGPD, without which there is no legal basis for legitimate data processing. In other words, the processing of data without support from at least one of the legal bases of Art. 7 of the LGPD is an infraction that, in isolation, has more serious contours since it has as its object one of the foundations of the very existence of the LGPD ” (our emphasis).
When applying this first fine, the ANPD considered one of two hypotheses. Either (i) the controller did not adequately support the processing of personal data in one of the hypotheses provided for in art. 7 of the LGPD, or (ii) the legal basis attributed did not meet the requirements for application, such as the requirements for the application of consent in art. 8 or the requirements for the use of legitimate interest in art. 10, both also of the LGPD.
Amount of the fine for non-compliance with this item: R$7,200.00 (seven thousand and two hundred reais).
|
|
發表於