Page 1

Presidency of the Republic
General secretary
Deputy Chief of Legal Affairs
LAW No. 13.709, OF AUGUST 14, 2018.
Compiled text

Provides for the protection of personal data and amends Law No. 12.965, of April 23, 2014 (Marco Civil da
Internet).

veto message

General Law for the Protection of Personal Data (LGPD).

Validity

(Wording given by Law No. 13.853 of 2019) Validity

THE PRESIDENT OF THE REPUBLIC I make it known that the National Congress enacts and I enact the following Law:
CHAPTER I
PRELIMINARY PROVISIONS
Art. 1 This Law provides for the processing of personal data, including in digital media, by a natural person or by a legal entity governed by public or private law, with the aim of protecting the fundamental rights of freedom
and of privacy and the free development of the natural person's personality.
Single paragraph. The general rules contained in this Law are of national interest and must be observed by the Union, States, Federal District and Municipalities. (Included by Law No. 13.853 of 2019)

Validity

Art. 2 The discipline of personal data protection is based on:
I - respect for privacy;
II - informative self-determination;
III - freedom of expression, information, communication and opinion;
IV - the inviolability of intimacy, honor and image;
V - economic and technological development and innovation;
VI - free enterprise, free competition and consumer protection; and
VII - human rights, the free development of personality, dignity and the exercise of citizenship by natural persons.
Art. 3 This Law applies to any processing operation carried out by a natural person or by a legal entity governed by public or private law, regardless of the environment, the country of its headquarters or the country in which they are located.
located the data, provided that:
I - the treatment operation is carried out in the national territory;
II - the processing activity has as its objective the offer or supply of goods or services or the processing of data of individuals located in the national territory;
II - the processing activity has as its objective the offer or supply of goods or services or the processing of data of individuals located in the national territory; or
of 2018)

(Wording given by Provisional Measure No. 869,

II - the processing activity has as its objective the offer or supply of goods or services or the processing of data of individuals located in the national territory; or (Wording given by Law No. 13.853 of 2019)
Validity
III - the personal data object of the processing has been collected in the national territory.
§ 1º Personal data whose owner is found in it at the time of collection are considered to be collected in the national territory.
§ 2 The processing of data provided for in item IV of the caput of art. 4 of this Law.
Art. 4 This Law does not apply to the processing of personal data:
I - performed by a natural person for exclusively private and non-economic purposes;
II - performed for purposes only:
a) journalistic and artistic; or
b) academics, applying arts. 7 and 11 of this Law;
b) academics;
(Wording given by Provisional Measure No. 869 of 2018)
b) academics, applying arts. 7 and 11 of this Law;
III - performed for the exclusive purposes of:
a) public safety;
b) national defense;
c) State security; or
d) investigation and prosecution of criminal offences; or
IV - coming from outside the national territory and that are not the object of communication, shared use of data with Brazilian processing agents or object of international data transfer with another country that
not that of origin, provided that the country of origin provides a level of protection of personal data that is adequate to that provided for in this Law.
§ 1 The processing of personal data provided for in item III shall be governed by specific legislation, which shall provide for proportional and strictly necessary measures to serve the public interest, subject to due
legal process, the general principles of protection and the rights of the holder provided for in this Law.
§ 2 The processing of the data referred to in item III of the caput of this article by a person governed by private law is prohibited, except in procedures under the tutelage of a legal entity governed by public law, which will be the object of a report
specific to the national authority and that they must observe the limitation imposed in § 4 of this article.
§ 2 The processing of the data referred to in item III of the caput by a legal entity governed by private law will only be admitted in procedures under the supervision of a legal entity governed by public law, in which case the
limitation referred to in § 3.
(Wording given by Provisional Measure No. 869 of 2018)
§ 2 The processing of the data referred to in item III of the caput of this article by a person governed by private law is prohibited, except in procedures under the tutelage of a legal entity governed by public law, which will be the object of a report
specific to the national authority and that they must observe the limitation imposed in § 4 of this article.
§ 3 The national authority shall issue technical opinions or recommendations regarding the exceptions provided for in item III of the caput of this article and shall request reports on the impact of the protection of personal data from those responsible.
§ 3 The personal data contained in databases created for the purposes referred to in item III of the caput may not be processed in their entirety by legal entities governed by private law, not including the
controlled by the Public Power.
(Wording given by Provisional Measure No. 869 of 2018)
§ 3 The national authority shall issue technical opinions or recommendations regarding the exceptions provided for in item III of the caput of this article and shall request reports on the impact of the protection of personal data from those responsible.
§ 4 In no case may all the personal data in the database referred to in item III of the caput of this article be processed by a person governed by private law.

(Revoked by Provisional Measure No. 869, of

2018)
§ 4 In no case may all the personal data in the database referred to in item III of the caput of this article be processed by a person governed by private law, except by one who has full capital
constituted by the public power. (Wording given by Law No. 13.853 of 2019)
Validity
Art. 5 For the purposes of this Law, it is considered:
I - personal data: information related to an identified or identifiable natural person;
II - sensitive personal data: personal data on racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data relating to health or sexual life,
genetic or biometric data, when linked to a natural person;
III - anonymized data: data relating to a holder that cannot be identified, considering the use of reasonable technical means available at the time of its treatment;
IV - database: structured set of personal data, established in one or several locations, in electronic or physical support;
V - holder: natural person to whom the personal data that are the object of processing refer;
VI - controller: natural or legal person, under public or private law, who are responsible for decisions regarding the processing of personal data;
VII - operator: natural or legal person, under public or private law, who processes personal data on behalf of the controller;
VIII - supervisor: natural person, appointed by the controller, who acts as a communication channel between the controller and the holders and the national authority;
VIII - in charge: person appointed by the controller to act as a communication channel between the controller, the data subjects and the National Data Protection Authority;
Provisional No. 869 of 2018)

(Wording given by the Measure

VIII - in charge: person appointed by the controller and operator to act as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD); (Writing given by
Law No. 13.853 of 2019)
Validity
IX - treatment agents: the controller and the operator;
X - treatment: any operation performed with personal data, such as those relating to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving,
storing, deleting, evaluating or controlling information, modifying, communicating, transferring, diffusing or extracting;
XI - anonymization: use of reasonable technical means available at the time of processing, whereby data loses the possibility of direct or indirect association with an individual;
XII - consent: free, informed and unambiguous manifestation by which the holder agrees with the processing of his/her personal data for a specific purpose;
XIII - blocking: temporary suspension of any processing operation, by keeping personal data or the database;
XIV - deletion: deletion of data or set of data stored in a database, regardless of the procedure used;
XV - international data transfer: transfer of personal data to a foreign country or international organization of which the country is a member;
XVI - shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared treatment of personal data banks by public bodies and entities in compliance
of their legal powers, or between these and private entities, reciprocally, with specific authorization, for one or more modalities of treatment allowed by these public entities, or between private entities;
XVII - impact report on the protection of personal data: controller documentation that contains the description of the processes for processing personal data that may generate risks to civil liberties and rights
fundamentals, as well as measures, safeguards and risk mitigation mechanisms;
XVIII - research body: body or entity of direct or indirect public administration or non-profit private law legal entity legally constituted under Brazilian law, with headquarters and jurisdiction in the country, which includes
in its institutional mission or in its social or statutory purpose, basic or applied research of a historical, scientific, technological or statistical nature;
XVIII - research body: body or entity of direct or indirect public administration or non-profit private law legal entity legally constituted under Brazilian law, with headquarters and jurisdiction in the country, which includes
in its institutional mission or in its social or statutory purpose, basic or applied research of a historical, scientific, technological or statistical nature; and
(Wording given by Provisional Measure No. 869 of 2018)
XVIII - research body: body or entity of direct or indirect public administration or non-profit private law legal entity legally constituted under Brazilian law, with headquarters and jurisdiction in the country, which includes
in its institutional mission or in its social or statutory purpose, basic or applied research of a historical, scientific, technological or statistical nature; and (Wording given by Law No. 13.853 of 2019)
XIX - national authority: indirect public administration body responsible for overseeing, implementing and supervising compliance with this Law.
XIX - national authority: public administration body responsible for overseeing, implementing and supervising compliance with this Law.

Validity

(Wording given by Provisional Measure No. 869 of 2018)

XIX - national authority: public administration body responsible for overseeing, implementing and supervising compliance with this Law throughout the national territory. (Wording given by Law No. 13.853 of 2019) Validity
Art. 6 Personal data processing activities must observe good faith and the following principles:
I - purpose: processing for legitimate, specific, explicit and informed purposes to the holder, without the possibility of further processing in a manner incompatible with these purposes;
II - adequacy: compatibility of the treatment with the purposes informed to the holder, according to the context of the treatment;
III - necessity: limitation of the processing to the minimum necessary for the accomplishment of its purposes, with the scope of pertinent data, proportional and not excessive in relation to the purposes of the data processing;
IV - free access: guarantee, to the holders, of easy and free consultation on the form and duration of the treatment, as well as on the completeness of their personal data;
V - data quality: guarantee, to the data subjects, of accuracy, clarity, relevance and updating of the data, according to the need and for the fulfillment of the purpose of its treatment;
VI - transparency: guarantee, to the holders, of clear, accurate and easily accessible information about the performance of the treatment and the respective treatment agents, observing commercial and industrial secrets;
VII - security: use of technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or illegal situations of destruction, loss, alteration, communication or dissemination;
VIII - prevention: adoption of measures to prevent the occurrence of damage due to the processing of personal data;
IX - non-discrimination: impossibility of carrying out treatment for unlawful or abusive discriminatory purposes;
X - accountability and accountability: demonstration, by the agent, of the adoption of effective measures capable of proving the observance and compliance with the rules for the protection of personal data and, including, the
effectiveness of these measures.
CHAPTER II
PROCESSING PERSONAL DATA
Section I
Requirements for the Processing of Personal Data
Art. 7 The processing of personal data can only be carried out in the following cases:
I - upon the provision of consent by the holder;
II - for compliance with a legal or regulatory obligation by the controller;
III - by the public administration, for the processing and shared use of data necessary for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or instruments
congeners, subject to the provisions of Chapter IV of this Law;
IV - to carry out studies by a research body, ensuring, whenever possible, the anonymization of personal data;
V - when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject;
VI - for the regular exercise of rights in judicial, administrative or arbitration proceedings, the latter pursuant to Law No. 9,307, of September 23, 1996 (Arbitration Law) ;
VII - to protect the life or physical safety of the owner or third party;
VIII - for the protection of health, in a procedure carried out by health professionals or health entities;
VIII - for the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority; (Wording given by Law No. 13.853 of 2019)

Validity

IX - when necessary to meet the legitimate interests of the controller or third party, except in the case where fundamental rights and freedoms of the holder that require the protection of personal data prevail; or
X - for credit protection, including the provisions of the relevant legislation.
§ 1 In the cases of application of the provisions of items II and III of the caput of this article and except for the cases provided for in art. 4 of this Law, the holder will be informed of the cases in which the treatment of their
Dice.
(Revoked by Provisional Measure No. 869 of 2018)
§ 1 (Revoked) .

(Wording given by Law No. 13.853 of 2019)

§ 2 The form of making available the information provided for in § 1 and in item I of the caput of art. 23 of this Law may be specified by the national authority.
§ 2 (Revoked) . (Wording given by Law No. 13.853 of 2019)

(Revoked by Provisional Measure No. 869 of 2018)

Validity

§ 3 The processing of personal data whose access is public must consider the purpose, good faith and public interest that justified its availability.
§ 4 The requirement of consent provided for in the caput of this article is waived for data made manifestly public by the holder, safeguarding the rights of the holder and the principles provided for in this Law.
§ 5 The controller who obtained the consent referred to in item I of the caput of this article who needs to communicate or share personal data with other controllers must obtain specific consent from the holder to
for this purpose, except in the cases of waiver of consent provided for in this Law.
§ 6 The eventual waiver of the consent requirement does not relieve the processing agents from the other obligations provided for in this Law, especially from the observance of the general principles and the guarantee of the rights of the
holder.
§ 7 The subsequent processing of personal data referred to in §§ 3 and 4 of this article may be carried out for new purposes, provided that the legitimate and specific purposes for the new processing and
preservation of the rights of the holder, as well as the foundations and principles provided for in this Law. (Included by Law No. 13.853, of 2019)
Validity
Art. 8 The consent provided for in item I of art. 7 of this Law must be provided in writing or by other means that demonstrate the holder's expression of will.
§ 1 If the consent is provided in writing, it must be included in a clause highlighted in the other contractual clauses.
§ 2 The controller is responsible for proving that consent was obtained in accordance with the provisions of this Law.
§ 3 The processing of personal data is prohibited by means of defect of consent.
§ 4 The consent must refer to specific purposes, and generic authorizations for the processing of personal data will be null and void.
§ 5 The consent may be revoked at any time by express manifestation of the holder, by free and facilitated procedure, ratified the treatments performed under the consent previously
manifested while there is no request for elimination, pursuant to item VI of the caput of art. 18 of this Law.
§ 6 In case of change of information referred to in items I, II, III or V of art. 9 of this Law, the controller must inform the holder, specifically highlighting the content of the changes, and the holder may, in cases in
that your consent is required, revoke it if you do not agree with the change.
Art. 9. The holder has the right to easy access to information on the processing of their data, which must be made available in a clear, adequate and ostensible way about, among other characteristics provided for in
regulation to comply with the principle of free access:
I - specific purpose of the treatment;
II - form and duration of treatment, observing commercial and industrial secrets;
III - controller identification;
IV - controller contact information;
V - information about the shared use of data by the controller and the purpose;
VI - responsibilities of agents who will carry out the treatment; and
VII - rights of the holder, with explicit mention of the rights contained in art. 18 of this Law.
§ 1 In the event that consent is required, this will be considered null if the information provided to the holder has misleading or abusive content or has not been previously presented with
transparency, clearly and unambiguously.
§ 2 In the event that consent is required, if there is a change in the purpose for the processing of personal data that is not compatible with the original consent, the controller must inform the holder in advance
about changes of purpose, the holder being able to revoke the consent, if he disagrees with the changes.
§ 3 When the processing of personal data is a condition for the supply of a product or service or for the exercise of a right, the holder will be prominently informed about this fact and about the means by which he can
exercise the rights of the holder listed in art. 18 of this Law.
Art. 10. The legitimate interest of the controller may only support the processing of personal data for legitimate purposes, considered from concrete situations, which include, but are not limited to:
I - support and promotion of the controller's activities; and
II - protection, in relation to the holder, of the regular exercise of their rights or provision of services that benefit them, respecting their legitimate expectations and fundamental rights and freedoms, under the terms of this Law.
§ 1 When the processing is based on the legitimate interest of the controller, only personal data strictly necessary for the intended purpose may be processed.
§ 2 The controller shall adopt measures to ensure the transparency of data processing based on its legitimate interest.
§ 3 The national authority may request from the controller a report on the impact on the protection of personal data, when the processing is based on its legitimate interest, subject to commercial and industrial secrets.
Section II
Treatment of Sensitive Personal Data
Art. 11. The processing of sensitive personal data can only occur in the following cases:
I - when the holder or his legal guardian consents, in a specific and prominent manner, for specific purposes;
II - without providing the holder's consent, in cases where it is essential to:
a) compliance with a legal or regulatory obligation by the controller;
b) shared processing of data necessary for the execution, by the public administration, of public policies provided for in laws or regulations;
c) conducting studies by a research body, ensuring, whenever possible, the anonymization of sensitive personal data;
d) regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings, the latter under the terms of Law No. 9,307, of September 23, 1996 (Arbitration Law) ;
e) protection of the life or physical safety of the owner or third party;
f) health protection, in a procedure carried out by health professionals or health entities; or
f) protection of health, exclusively, in a procedure performed by health professionals, health services or health authority; or (Wording given by Law No. 13.853 of 2019)

Validity

g) guarantee of fraud prevention and security of the holder, in the identification and authentication processes of registration in electronic systems, safeguarding the rights mentioned in art. 9 of this Law and except in the case of
fundamental rights and freedoms of the data subject that require the protection of personal data prevail.
§ 1 The provisions of this article apply to any processing of personal data that reveals sensitive personal data and that may cause damage to the holder, except as provided for in specific legislation.
§ 2 In cases of application of the provisions of items "a" and "b" of item II of the caput of this article by public bodies and entities, the aforementioned waiver of consent shall be publicized, pursuant to item I of the
caput of art. 23 of this Law.
§ 3 The communication or shared use of sensitive personal data between controllers in order to obtain economic advantage may be subject to prohibition or regulation by the national authority,
hearing the sectorial bodies of the Public Power, within the scope of their competences.
§ 4 The communication or shared use between controllers of sensitive personal data relating to health in order to obtain economic advantage is prohibited, except in cases of data portability when
consented by the holder.
§ 4 The communication or shared use between controllers of sensitive personal data relating to health in order to obtain economic advantage is prohibited, except in the cases of:
Provisional Measure No. 869 of 2018)
I - data portability when consented by the holder; or
(Included by Provisional Measure No. 869 of 2018)
II - need for communication for the adequate provision of supplementary health services.
(Included by Provisional Measure No. 869 of 2018)

(Writing given by

§ 4 The communication or shared use between controllers of sensitive personal data relating to health in order to obtain economic advantage is prohibited, except in the cases related to the provision of services of
health, pharmaceutical care and health care, provided that paragraph 5 of this article is observed, including auxiliary diagnostic and therapy services, for the benefit of the interests of data subjects, and to allow:
(Wording given by Law No. 13.853 of 2019)
Validity
I - data portability when requested by the holder; or

(Included by Law No. 13.853 of 2019)

Validity

II - financial and administrative transactions resulting from the use and provision of the services referred to in this paragraph.

(Included by Law No. 13.853 of 2019)

Validity

§ 5 Operators of private health care plans are prohibited from processing health data for the practice of risk selection in the contracting of any modality, as well as in the contracting and exclusion of
beneficiaries.
(Included by Law No. 13.853 of 2019)
Validity
Art. 12. Anonymized data will not be considered personal data for the purposes of this Law, except when the anonymization process to which they were submitted is reversed, using exclusively its own means, or
when, with reasonable efforts, it can be reversed.
§ 1 The determination of what is reasonable must take into account objective factors, such as the cost and time needed to reverse the anonymization process, according to available technologies, and use
exclusive of own means.
§ 2 Personal data may also be considered, for the purposes of this Law, those used to form the behavioral profile of a particular natural person, if identified.
§ 3 The national authority may provide for standards and techniques used in anonymization processes and carry out checks on their security, after consulting the National Council for the Protection of Personal Data.
Art. 13. When conducting studies in public health, research bodies may have access to personal databases, which will be treated exclusively within the body and strictly for the purpose of carrying out
studies and researches and kept in a controlled and safe environment, according to security practices provided for in specific regulations and that include, whenever possible, the anonymization or pseudonymization of data, as well
how they consider the proper ethical standards related to studies and research.
§ 1 The disclosure of results or any excerpt of the study or research referred to in the caput of this article under no circumstances may reveal personal data.
§ 2 The research body will be responsible for the security of the information provided for in the caput of this article, not allowing, under any circumstances, the transfer of data to a third party.
§ 3 Access to the data referred to in this article shall be subject to regulation by the national authority and the authorities in the health and health area, within the scope of their competences.
§ 4 For the purposes of this article, pseudonymization is the treatment whereby data loses the possibility of association, directly or indirectly, with an individual, except through the use of additional information maintained
separately by the controller in a controlled and safe environment.
Section III
Treatment of Personal Data of Children and Adolescents
Art. 14. The processing of personal data of children and adolescents must be carried out in their best interest, under the terms of this article and of the pertinent legislation.
§ 1 The processing of personal data of children must be carried out with the specific and prominent consent given by at least one of the parents or by the legal guardian.
§ 2 In the treatment of data referred to in § 1 of this article, the controllers shall keep public information on the types of data collected, the form of its use and the procedures for the exercise of rights
referred to in art. 18 of this Law.
§ 3 Children's personal data may be collected without the consent referred to in § 1 of this article when collection is necessary to contact the parents or legal guardian, used only once and without
storage, or for their protection, and in no case may they be transferred to a third party without the consent referred to in § 1 of this article.
§ 4 The controllers shall not condition the participation of the holders referred to in § 1 of this article in games, internet applications or other activities to the provision of personal information in addition to strictly
necessary for the activity.
§ 5 The controller must make all reasonable efforts to verify that the consent referred to in § 1 of this article was given by the person responsible for the child, considering the available technologies.
§ 6 The information on the processing of data referred to in this article must be provided in a simple, clear and accessible manner, considering the physical-motor, perceptual, sensory, intellectual and
users, with the use of audiovisual resources when appropriate, in order to provide the necessary information to the parents or legal guardian and adequate to the child's understanding.
Section IV
End of Data Processing
Art. 15. The termination of the processing of personal data will occur in the following cases:
I - verification that the purpose has been achieved or that the data is no longer necessary or relevant to the achievement of the desired specific purpose;
II - end of the treatment period;
III - communication by the holder, including in the exercise of his right to revoke consent as provided for in § 5 of art. 8 of this Law, safeguarding the public interest; or
IV - determination of the national authority, when there is a violation of the provisions of this Law.
Art. 16. Personal data will be deleted after the end of its treatment, within the scope and technical limits of the activities, with authorization to be preserved for the following purposes:
I - compliance with a legal or regulatory obligation by the controller;
II - study by a research body, ensuring, whenever possible, the anonymization of personal data;
III - transfer to a third party, provided that the data processing requirements set forth in this Law are respected; or
IV - exclusive use of the controller, its access by a third party being prohibited, and provided that the data is anonymized.
CHAPTER III
HOLDER'S RIGHTS
Art. 17. Every natural person is assured the ownership of his/her personal data and guaranteed the fundamental rights of freedom, intimacy and privacy, under the terms of this Law.
Art. 18. The holder of personal data has the right to obtain from the controller, in relation to the holders data processed by him, at any time and upon request:
I - confirmation of the existence of treatment;
II - access to data;
III - correction of incomplete, inaccurate or outdated data;
IV - anonymization, blocking or deletion of unnecessary, excessive or processed data in disagreement with the provisions of this Law;
V - data portability to another service or product supplier, upon express request and observing commercial and industrial secrets, in accordance with the regulation of the controlling body;
V - portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets; (Writing given
by Law No. 13.853 of 2019)
Validity
VI - deletion of personal data processed with the consent of the holder, except in the cases provided for in art. 16 of this Law;
VII - information on public and private entities with which the controller shared data;
VIII - information on the possibility of not providing consent and on the consequences of denial;
IX - revocation of consent, pursuant to § 5 of art. 8 of this Law.
§ 1 The holder of personal data has the right to petition in relation to their data against the controller before the national authority.
§ 2 The holder may object to the treatment carried out based on one of the cases of waiver of consent, in case of non-compliance with the provisions of this Law.
§ 3 The rights provided for in this article shall be exercised upon the express request of the holder or legally constituted representative, to the processing agent.
§ 4 In case of impossibility of immediate adoption of the measure referred to in § 3 of this article, the controller will send the holder a reply in which he may:
I - communicate that it is not a data processing agent and indicate, whenever possible, the agent; or
II - indicate the reasons of fact or law that prevent the immediate adoption of the measure.
§ 5 The application referred to in § 3 of this article will be met free of charge to the holder, within the terms and conditions provided for in the regulation.
§ 6 The responsible person shall immediately inform the processing agents with whom he/she has shared the use of data, the correction, deletion, anonymization or blocking of the data, so that
repeat the same procedure, except in cases where this communication proves to be impossible or implies a disproportionate effort. (Wording given by Law No. 13.853 of 2019)

Validity

§ 7 The portability of personal data referred to in item V of the caput of this article does not include data that has already been anonymized by the controller.
§ 8 The right referred to in § 1 of this article may also be exercised before consumer protection bodies.
Art. 19. Confirmation of existence or access to personal data will be provided, upon request by the holder:
I - in simplified format, immediately; or
II - by means of a clear and complete statement, indicating the origin of the data, the lack of registration, the criteria used and the purpose of the treatment, observing the commercial and industrial secrets, provided within
up to 15 (fifteen) days from the date of application by the holder.
§ 1st Personal data will be stored in a format that favors the exercise of the right of access.
§ 2 The information and data may be provided, at the holder's discretion:
I - by electronic means, secure and suitable for this purpose; or
II - in printed form.
§ 3 When the treatment originates in the consent of the holder or in a contract, the holder may request a full electronic copy of his personal data, subject to commercial and industrial secrets, pursuant to
regulation of the national authority, in a format that allows its subsequent use, including in other processing operations.
§ 4 The national authority may have a differentiated form regarding the deadlines provided for in items I and II of the caput of this article for specific sectors.
Art. 20. The data subject has the right to request a review, by a natural person, of decisions taken solely on the basis of automated processing of personal data that affect their interests, including decisions
designed to define your personal, professional, consumer and credit profile or aspects of your personality.
Art. 20. The data subject has the right to request a review of decisions taken solely on the basis of automated processing of personal data that affect their interests, including decisions designed to define the
your personal, professional, consumer and credit profile or aspects of your personality.
(Wording given by Provisional Measure No. 869 of 2018)
Art. 20. The data subject has the right to request a review of decisions taken solely on the basis of automated processing of personal data that affect their interests, including decisions designed to define the
your personal, professional, consumer and credit profile or aspects of your personality. (Wording given by Law No. 13.853 of 2019)
Validity
§ 1 The controller shall provide, whenever requested, clear and adequate information regarding the criteria and procedures used for the automated decision, observing commercial and industrial secrets.
§ 2 In case of non-offer of information referred to in § 1 of this article based on the observance of commercial and industrial secrecy, the national authority may carry out an audit to verify aspects
discrimination in automated processing of personal data.
§ 3 (VETOED) . (Included by Law No. 13.853 of 2019)

Validity

Art. 21. Personal data relating to the regular exercise of rights by the holder cannot be used to their detriment.
Article 22. The defense of the interests and rights of data subjects may be exercised in court, individually or collectively, in accordance with the provisions of the relevant legislation, regarding the instruments of individual and
collective.
CHAPTER IV
THE PROCESSING OF PERSONAL DATA BY THE PUBLIC AUTHORITIES
Section I
of the rules
Art. 23. The processing of personal data by legal entities governed by public law referred to in the sole paragraph of art. 1 of Law No. 12,527, of November 18, 2011 (Access to Information Law) , must be carried out for the
fulfillment of its public purpose, in pursuit of the public interest, in order to perform the legal powers or fulfill the legal attributions of the public service, provided that:
I - the cases in which, in the exercise of their powers, they process personal data are informed, providing clear and updated information on the legal provision, purpose, procedures and
practices used to carry out these activities, in easily accessible vehicles, preferably on their websites;
II - (VETOED); and
III - a person in charge is appointed when carrying out operations for the processing of personal data, pursuant to art. 39 of this Law.
III - a person in charge is appointed when carrying out operations for the processing of personal data, pursuant to art. 39 of this Law; and (Wording given by Law No. 13.853 of 2019)
IV - (VETOED) . (Included by Law No. 13.853 of 2019)

Validity

Validity

§ 1 The national authority may provide for forms of publicity for processing operations.
§ 2 The provisions of this Law do not exempt the legal entities mentioned in the caput of this article from establishing the authorities referred to in Law No. 12,527, of November 18, 2011 (Access to Information Law) .
§ 3 The deadlines and procedures for exercising the rights of the holder before the Public Power shall comply with the provisions of specific legislation, in particular the provisions of Law No. 9,507, of November 12, 1997
(Habeas Data Law) , Law No. 9,784, of January 29, 1999 (General Law on Administrative Procedure) , and Law No. 12,527, of November 18, 2011 (Access to Information Law) .
§ 4 Notarial and registration services performed in private, by delegation of the Public Power, will have the same treatment given to legal entities referred to in the caput of this article, under the terms of this Law.
§ 5 The notary and registration bodies must provide access to data by electronic means for the public administration, in view of the purposes referred to in the caput of this article.
Art. 24. Public companies and government-controlled companies that operate in competition, subject to the provisions of art. 173 of the Federal Constitution , will have the same treatment given to legal entities of
private law, under the terms of this Law.
Single paragraph. Public companies and government-controlled companies, when implementing public policies and within the scope of their execution, will have the same treatment given to bodies and
entities of the Public Power, under the terms of this Chapter.
Art. 25. The data must be kept in an interoperable and structured format for shared use, with a view to implementing public policies, providing public services, decentralizing public activity and
dissemination and access to information by the general public.
Art. 26. The shared use of personal data by the Public Power must meet the specific purposes of implementing public policies and legal attribution by public bodies and entities, respecting the principles
protection of personal data listed in art. 6 of this Law.
§ 1 The Public Power is prohibited from transferring to private entities personal data contained in databases to which it has access, except:
I - in cases of decentralized execution of public activity that requires the transfer, exclusively for this specific and determined purpose, subject to the provisions of Law No. 12,527, of November 18, 2011 (Law of
Access to Information) ;
II - (VETOED);
III - in cases where the data is publicly accessible, subject to the provisions of this Law.
III - if a person in charge of personal data processing operations is appointed, pursuant to art. 39;

Wording given by Provisional Measure No. 869 of 2018)

III - in cases where the data is publicly accessible, subject to the provisions of this Law.
IV - when there is a legal provision or the transfer is supported by contracts, agreements or similar instruments;
(Included by Provisional Measure No. 869 of 2018)
V - in the event that the transfer of data is aimed at preventing fraud and irregularities, or protecting and safeguarding the security and integrity of the data subject; or
IV - when there is a legal provision or the transfer is supported by contracts, agreements or similar instruments; or

(Included by Provisional Measure No. 869 of 2018)

(Included by Law No. 13.853 of 2019)

V - in the event that the transfer of data is solely aimed at preventing fraud and irregularities, or protecting and safeguarding the security and integrity of the data subject, provided that the processing for
other purposes. (Included by Law No. 13.853 of 2019)
Validity
VI - in cases where the data is publicly accessible, subject to the provisions of this Law.

(Included by Provisional Measure No. 869 of 2018)

§ 2 The contracts and agreements referred to in § 1 of this article must be communicated to the national authority.
Art. 27. The communication or shared use of personal data of a legal entity governed by public law to a person governed by private law will be informed to the national authority and will depend on the consent of the holder, except:
Art. 27. The communication or shared use of personal data from a legal entity governed by public law to a legal entity governed by private law shall depend on the consent of the holder, except:
Provisional No. 869 of 2018)

(Wording given by the Measure

Art. 27. The communication or shared use of personal data of a legal entity governed by public law to a person governed by private law will be informed to the national authority and will depend on the consent of the holder, except:
I - in the cases of waiver of consent provided for in this Law;
II - in cases of shared use of data, in which publicity will be given under the terms of item I of the caput of art. 23 of this Law; or
III - in the exceptions contained in § 1 of art. 26 of this Law.
Single paragraph. The information to the national authority referred to in the caput of this article will be subject to regulation. (Included by Law No. 13.853 of 2019)

Validity

Art. 28. (VETOED).
Art. 29. The national authority may request, at any time, the entities of the Public Power, to carry out operations for the processing of personal data, specific information on the scope and nature of the data and
other details of the treatment carried out and may issue a complementary technical opinion to ensure compliance with this Law.
Art. 29. The national authority may request, at any time, the bodies and entities of the Public Power to carry out operations for the processing of personal data, specific information on the scope and the
nature of the data and other details of the treatment carried out and may issue a complementary technical opinion to ensure compliance with this Law.
(Wording given by Provisional Measure No. 869 of 2018)
Art. 29. The national authority may request, at any time, the organs and entities of the public power to carry out operations for the processing of personal data, specific information on the scope and nature
of the data and other details of the treatment carried out and may issue a complementary technical opinion to ensure compliance with this Law. (Wording given by Law No. 13.853, of 2019)
Art. 30. The national authority may establish complementary norms for the activities of communication and sharing of personal data.
Section II
of responsibility
Art. 31. When there is a violation of this Law as a result of the processing of personal data by public bodies, the national authority may send a report with appropriate measures to stop the violation.
Art. 32. The national authority may request Public Power agents to publish reports on the impact on the protection of personal data and suggest the adoption of standards and good practices for data processing
by the Public Power.
CHAPTER V
INTERNATIONAL DATA TRANSFER
Art. 33. The international transfer of personal data is only allowed in the following cases:
I - for countries or international organizations that provide a level of personal data protection adequate to that provided for in this Law;
II - when the controller offers and proves guarantees of compliance with the principles, rights of the holder and the data protection regime provided for in this Law, in the form of:
a) specific contractual clauses for a given transfer;
b) standard contractual clauses;
c) global corporate standards;
d) regularly issued seals, certificates and codes of conduct;
III - when the transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution bodies, in accordance with the instruments of international law;
IV - when the transfer is necessary to protect the life or physical safety of the holder or third party;
V - when the national authority authorizes the transfer;
VI - when the transfer results in a commitment assumed in an international cooperation agreement;
VII - when the transfer is necessary for the execution of public policy or legal attribution of the public service, with publicity being given under the terms of item I of the caput of art. 23 of this Law;
VIII - when the holder has provided his specific and highlighted consent for the transfer, with prior information on the international nature of the transaction, clearly distinguishing it from other purposes; or
IX - when necessary to meet the hypotheses provided for in items II, V and VI of art. 7 of this Law.
Single paragraph. For the purposes of item I of this article, legal entities governed by public law referred to in the sole paragraph of art. 1 of Law No. 12,527, of November 18, 2011 (Access to Information Law) , within the scope of its
legal powers, and those responsible, within the scope of their activities, may require the national authority to assess the level of protection of personal data conferred by a country or international organization.
Art. 34. The level of data protection of the foreign country or international organization mentioned in item I of the main section of art. 33 of this Law will be evaluated by the national authority, which will take into account:
I - the general and sectorial norms of the legislation in force in the country of destination or in the international organization;
II - the nature of the data;
III - observance of the general principles of protection of personal data and rights of the holders provided for in this Law;
IV - the adoption of security measures provided for in regulation;
V - the existence of judicial and institutional guarantees for the respect of personal data protection rights; and
VI - other specific circumstances relating to the transfer.
Art. 35. The definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for a given transfer, global corporate standards or seals, certificates and codes
of conduct, referred to in item II of the caput of art. 33 of this Law, will be carried out by the national authority.
§ 1 For the verification of the provisions of the caput of this article, the requirements, conditions and minimum guarantees for the transfer shall be considered, in compliance with the rights, guarantees and principles of this Law.

Validity

§ 2 In the analysis of contractual clauses, documents or global corporate standards submitted for approval by the national authority, additional information may be requested or steps taken may be carried out.
verification of treatment operations, when necessary.
§ 3 The national authority may designate certification bodies to carry out the provisions of the caput of this article, which will remain under its supervision under the terms defined in the regulation.
§ 4 The acts performed by a certification body may be reviewed by the national authority and, if not in compliance with this Law, submitted for review or cancelled.
§ 5 Sufficient guarantees of compliance with the general principles of protection and rights of the holder referred to in the caput of this article will also be analyzed in accordance with the technical and organizational measures adopted
by the operator, in accordance with the provisions of §§ 1 and 2 of art. 46 of this Law.
Art. 36. Changes in the guarantees presented as sufficient to comply with the general principles of protection and rights of the holder referred to in item II of art. 33 of this Law shall be communicated to the authority
national.
CHAPTER VI
PERSONAL DATA PROCESSING AGENTS
Section I
Controller and Operator
Art. 37. The controller and the operator must keep records of the personal data processing operations they carry out, especially when based on legitimate interest.
Art. 38. The national authority may order the controller to prepare a report on the impact on the protection of personal data, including sensitive data, referring to its data processing operations, pursuant to
regulation, subject to commercial and industrial secrets.
Single paragraph. Subject to the provisions of the caput of this article, the report must contain, at least, a description of the types of data collected, the methodology used for the collection and to guarantee the safety of the
information and analysis of the controller regarding the measures, safeguards and risk mitigation mechanisms adopted.
Art. 39. The operator must carry out the treatment in accordance with the instructions provided by the controller, who will verify compliance with the instructions and rules on the matter.
Art. 40. The national authority may provide for interoperability standards for the purposes of portability, free access to data and security, as well as the time for keeping records, in view of
especially necessity and transparency.
Section II
The Person Responsible for the Processing of Personal Data
Art. 41. The controller shall indicate the person in charge of processing personal data.
§ 1 The identity and contact information of the person in charge must be publicly disclosed, in a clear and objective manner, preferably on the controller's website.
§ 2 The supervisor's activities consist of:
I - accept complaints and communications from the holders, provide clarifications and take measures;
II - receive communications from the national authority and take measures;
III - guide the employees and contractors of the entity regarding the practices to be taken in relation to the protection of personal data; and
IV - perform other attributions determined by the controller or established in complementary rules.
§ 3 The national authority may establish complementary rules on the definition and attributions of the person in charge, including cases of exemption from the need for his/her appointment, according to the nature and size of the
entity or the volume of data processing operations.
§ 4 (VETOED) . (Included by Law No. 13.853 of 2019)

Validity
Section III
Liability and Compensation for Damages

Art. 42. The controller or operator who, due to the exercise of the activity of processing personal data, causes damage to another person, moral, individual or collective, in violation of data protection legislation
personal, is required to repair it.
§ 1 In order to ensure effective compensation to the data subject:
I - the operator is jointly and severally liable for damages caused by the processing when it fails to comply with the obligations of data protection legislation or when it has not followed the lawful instructions of the controller, in case
that the operator is equivalent to the controller, except in the cases of exclusion provided for in art. 43 of this Law;
II - controllers who are directly involved in the treatment that resulted in damages to the data subject are jointly and severally liable, except in the cases of exclusion provided for in art. 43 of this Law.
§ 2 The judge, in civil proceedings, may reverse the burden of proof in favor of the data subject when, in his/her judgment, the allegation is credible, there is hypo-sufficiency for the purposes of producing evidence or when the production of evidence
by the holder is excessively onerous.
§ 3 The actions for reparation for collective damages that have as their object liability under the terms of the caput of this article may be collectively exercised in court, subject to the provisions of the relevant legislation.
§ 4 The one who repairs the damage to the holder has the right of recourse against the other responsible parties, insofar as their participation in the harmful event.
Art. 43. Treatment agents will only be held liable when they prove:
I - who have not processed the personal data assigned to them;
II - that, although they processed the personal data assigned to them, there was no violation of data protection legislation; or
III - that the damage is due to the exclusive fault of the data subject or a third party.
Art. 44. The processing of personal data will be irregular when it fails to comply with the legislation or when it does not provide the security that the holder can expect, considering the relevant circumstances, including:
I - the way in which it is performed;
II - the result and the risks reasonably expected of it;
III - the techniques for processing personal data available at the time it was carried out.
Single paragraph. The controller or operator who, by failing to adopt the security measures provided for in art. 46 of this Law, give cause to damage.
Art. 45. Cases of violation of the holder's right in the context of consumer relations remain subject to the liability rules provided for in the relevant legislation.
CHAPTER VII
SAFETY AND GOOD PRACTICES
Section I
Security and Data Confidentiality
Art. 46. Processing agents must adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss,
alteration, communication or any form of improper or unlawful treatment.
§ 1 The national authority may provide for minimum technical standards to make the provisions of the caput of this article applicable, considering the nature of the information processed, the specific characteristics of the processing and
the current state of technology, especially in the case of sensitive personal data, as well as the principles provided for in the caput of art. 6 of this Law.
§ 2 The measures referred to in the caput of this article must be observed from the design phase of the product or service until its execution.
Article 47. The processing agents or any other person who intervenes in one of the processing phases undertakes to guarantee the security of the information provided for in this Law in relation to personal data, even after the
its termination.
Art. 48. The controller must notify the national authority and the holder of the occurrence of a security incident that may cause relevant risk or damage to the holders.
§ 1 The communication will be made within a reasonable time, as defined by the national authority, and must mention, at least:
I - a description of the nature of the affected personal data;
II - information about the holders involved;
III - indication of the technical and security measures used for data protection, observing commercial and industrial secrets;
IV - the risks related to the incident;
V - the reasons for the delay, in case the communication was not immediate; and
VI - the measures that were or will be adopted to reverse or mitigate the effects of the loss.
§ 2 The national authority will verify the seriousness of the incident and may, if necessary to safeguard the rights of the holders, determine the controller to adopt measures, such as:
I - wide dissemination of the fact in the media; and
II - measures to reverse or mitigate the effects of the incident.
§ 3 In the judgment of the seriousness of the incident, any proof that adequate technical measures were adopted that make the affected personal data unintelligible, within the scope and technical limits of its
services, for third parties not authorized to access them.
Art. 49. The systems used for the processing of personal data must be structured in order to meet the security requirements, the standards of good practices and governance and the general principles provided for
in this Law and other regulatory standards.
Section II
Good Practices and Governance
Art. 50. The controllers and operators, within the scope of their competences, through the processing of personal data, individually or through associations, may formulate rules of good practices and governance that
establish the conditions of organization, the operating regime, the procedures, including complaints and petitions from holders, the safety rules, the technical standards, the specific obligations for the various
involved in the processing, educational activities, internal mechanisms for supervision and risk mitigation, and other aspects related to the processing of personal data.
§ 1 When establishing rules of good practice, the controller and the operator shall take into account, in relation to the processing and the data, the nature, scope, purpose and probability and severity of risks and
benefits arising from the processing of the data subject.
§ 2 In the application of the principles indicated in items VII and VIII of the main section of art. 6 of this Law, the controller, subject to the structure, scale and volume of its operations, as well as the sensitivity of the processed data and the
probability and severity of damage to data subjects may:
I - implement a privacy governance program that, at a minimum:
a) demonstrates the controller's commitment to adopting internal processes and policies that ensure comprehensive compliance with standards and good practices relating to the protection of personal data;
b) is applicable to the entire set of personal data under its control, regardless of how it was collected;
c) is adapted to the structure, scale and volume of its operations, as well as the sensitivity of the data processed;
d) establish adequate policies and safeguards based on a systematic assessment process of impacts and risks to privacy;
e) has the objective of establishing a relationship of trust with the holder, through transparent action and ensuring mechanisms for the holder's participation;
f) be integrated into its overall governance structure and establish and apply internal and external supervisory mechanisms;
g) have incident response and remediation plans; and
h) is constantly updated based on information obtained from continuous monitoring and periodic evaluations;
II - demonstrate the effectiveness of its privacy governance program when appropriate and, in particular, at the request of the national authority or other entity responsible for promoting compliance with good practices
or codes of conduct, which independently promote compliance with this Law.
§ 3 The rules of good practices and governance must be published and updated periodically and may be recognized and disseminated by the national authority.
Art. 51. The national authority will encourage the adoption of technical standards that facilitate control by the holders of their personal data.
CHAPTER VIII
SURVEILLANCE
Section I
Administrative Sanctions
Art. 52. Data processing agents, due to infringements committed to the rules provided for in this Law, are subject to the following administrative sanctions applicable by the national authority: (Validity)
I - warning, indicating the deadline for taking corrective measures;
II - simple fine of up to 2% (two percent) of the revenue of a legal entity governed by private law, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited in total to R$ 50,000,000.00 (fifty
millions of reais) for infraction;
III - daily fine, observing the total limit referred to in item II;
IV - publicizing the infringement after its occurrence is duly investigated and confirmed;
V - blocking of the personal data to which the infringement refers until its regularization;
VI - deletion of personal data to which the infringement refers;
VII - (VETOED);
VIII - (VETOED);
IX - (VETOED).
X - (VETOED) ; (Included by Law No. 13,853 of 2019) (Promulgation of Vetoed Parties)
XI - (VETOED) ; (Included by Law No. 13,853 of 2019) (Promulgation of Vetoed Parties)
XII - (VETOED) . (Included by Law No. 13,853 of 2019) (Promulgation of Vetoed Parties)
X - partial suspension of the functioning of the database to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period, until the regularization of the processing activity by the controller;
(Included by Law No. 13.853 of 2019)
XI - suspension of the exercise of the activity of processing personal data to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period; (Included by Law No. 13.853 of 2019)
XII - partial or total prohibition of the exercise of activities related to data processing. (Included by Law No. 13.853 of 2019)
§ 1 The sanctions will be applied after an administrative procedure that allows for the opportunity of ample defense, in a gradual, isolated or cumulative manner, according to the peculiarities of the specific case and considered
the following parameters and criteria:
I - the seriousness and nature of the violations and affected personal rights;
II - the good faith of the offender;
III - the advantage obtained or intended by the infringer;
IV - the economic condition of the offender;
V - the recurrence;
VI - the degree of damage;
VII - the offender's cooperation;
VIII - the repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing damage, aimed at the safe and adequate treatment of data, in accordance with the provisions of item II of § 2 of art.
48 of this Law;
IX - the adoption of good practices and governance policy;
X - prompt adoption of corrective measures; and
XI - the proportionality between the seriousness of the offense and the intensity of the sanction.
§ 2 The provisions of this article do not replace the application of administrative, civil or criminal sanctions defined in specific legislation.
§ 2 The provisions of this article do not replace the application of administrative, civil or criminal sanctions defined in Law No. 8.078, of September 11, 1990, and in specific legislation. (Wording given by Law No. 13.853, of
2019)
Validity
§ 3 The provisions of items I, IV, V, VI, VII, VIII and IX of the main section of this article may be applied to public entities and bodies, without prejudice to the provisions of Law No. 8112, of December 11, 1990 (Bylaws of the server
Federal Public) , in Law No. 8429, of June 2, 1992 (Administrative Impropriety Law) , and in Law No. 12,527, of November 18, 2011 (Access to Information Law) .
§ 3 The provisions of items I, IV, V, VI, X, XI and XII of the main section of this article may be applied to public entities and bodies, without prejudice to the provisions of Law No. 8112, of December 11, 1990 , in Law No. 8429, of 2nd of
June 1992 , and Law No. 12,527, of November 18, 2011 . (Wording given by Law No. 13.853 of 2019)
§ 4 In calculating the amount of the fine referred to in item II of the caput of this article, the national authority may consider the total revenue of the company or group of companies, when it does not have the amount of revenue in the
branch of business activity in which the infringement occurred, defined by the national authority, or when the amount is presented incompletely or is not demonstrated in an unequivocal and reputable manner.
§ 5 The proceeds from the collection of fines applied by ANPD, whether or not registered in active debt, will be allocated to the Fund for the Defense of Diffuse Rights referred to in art. 13 of Law No. 7347, of July 24, 1985, and the Law
No. 9,008, of March 21, 1995. (Included by Law No. 13.853, of 2019)
§ 6 (VETOED). (Included by Law No. 13.853 of 2019)

(Promulgation of vetoed parts)

§ 6 The sanctions provided for in items X, XI and XII of the caput of this article shall apply: (Included by Law No. 13.853, of 2019)
I - only after having already imposed at least 1 (one) of the sanctions referred to in items II, III, IV, V and VI of the caput of this article for the same specific case; and (Included by Law No. 13.853 of 2019)
II - in the case of controllers submitted to other bodies and entities with sanctioning powers, after hearing these bodies. (Included by Law No. 13.853 of 2019)
§ 7 Individual leaks or unauthorized access referred to in the caput of art. 46 of this Law may be subject to direct conciliation between controller and holder and, if there is no agreement, the controller will be subject to
application of the penalties referred to in this article. (Included by Law No. 13.853 of 2019)
Validity
Art. 53. The national authority will define, through its own regulation on administrative sanctions for violations of this Law, which shall be the object of public consultation, the methodologies that will guide the calculation of the base value
of fine sanctions. (Validity)
§ 1 The methodologies referred to in the caput of this article must be previously published, for the awareness of treatment agents, and must objectively present the forms and dosimetries for calculating the base value
fine sanctions, which must contain detailed grounds for all of its elements, demonstrating compliance with the criteria provided for in this Law.
§ 2 The regulation of sanctions and corresponding methodologies must establish the circumstances and conditions for the adoption of a simple or daily fine.
Art. 54. The value of the daily fine penalty applicable to violations of this Law must observe the seriousness of the offense and the extent of the damage or loss caused and be substantiated by the national authority.
Single paragraph. The notice of the daily fine sanction must contain, at a minimum, the description of the obligation imposed, the reasonable period stipulated by the agency for its compliance and the amount of the daily fine to be applied by the
your non-compliance. (Validity)
CHAPTER IX
THE NATIONAL DATA PROTECTION AUTHORITY (ANPD) AND THE NATIONAL COUNCIL FOR THE PROTECTION OF PERSONAL DATA AND PRIVACY
Section I
From the National Data Protection Authority (ANPD)
Art. 55. (VETOED).

Article 55-A. The National Data Protection Authority - ANPD, a federal public administration body, member of the Presidency of the Republic, was created without any increase in expenses. (Included by Provisional Measure No. 869,
of 2018)
Article 55-B. Technical autonomy is guaranteed to ANPD.
(Included by Provisional Measure No. 869 of 2018)
Article 55-C. ANPD consists of:
(Included by Provisional Measure No. 869 of 2018)
I - Board of Directors, the highest management body;
(Included by Provisional Measure No. 869 of 2018)
II - National Council for the Protection of Personal Data and Privacy;
(Included by Provisional Measure No. 869 of 2018)
III - Internal Affairs;
(Included by Provisional Measure No. 869 of 2018)
IV - Ombudsman;
(Included by Provisional Measure No. 869 of 2018)
V - own legal advisory body; and
(Included by Provisional Measure No. 869 of 2018)
VI - administrative units and specialized units necessary for the application of the provisions of this Law.”
(Included by Provisional Measure No. 869 of 2018)
Article 55-D. ANPD's Board of Directors will be composed of five directors, including the Chief Executive Officer.
(Included by Provisional Measure No. 869 of 2018)
§ 1 The members of the Board of Directors of ANPD will be appointed by the President of the Republic and will occupy a position in a committee of the Senior Management and Advisory Group - DAS at level 5.
(Included by Measure
Provisional No. 869 of 2018)
§ 2 The members of the Board of Directors will be chosen from among Brazilians, of unblemished reputation, with a higher education level and high concept in the field of specialty of the positions for which they will be
appointed.
(Included by Provisional Measure No. 869 of 2018)
§ 3 The term of office of the members of the Board of Directors will be four years.
(Included by Provisional Measure No. 869 of 2018)
§ 4 The terms of office of the first appointed members of the Board of Directors shall be two, three, four, five and six years, as established in the nomination act.
(Included by Provisional Measure No.
869 of 2018)
§ 5 In the event of a vacancy in the position during the term of office of a member of the Board of Directors, the remaining term will be completed by the successor.
(Included by Provisional Measure No. 869 of 2018)
Article 55-E. The members of the Board of Directors will only lose their positions as a result of resignation, unappealable court conviction or penalty of dismissal resulting from a disciplinary administrative proceeding.
(Included by Provisional Measure No. 869 of 2018)
§ 1 Under the terms of the caput , it is incumbent upon the Minister of State, Head of the Civil House of the Presidency of the Republic, to initiate the disciplinary administrative process, which will be conducted by a special commission constituted by public servants
stable federations.
(Included by Provisional Measure No. 869 of 2018)
§ 2 It is incumbent upon the President of the Republic to determine the preventive removal, if necessary, and to deliver the judgment.
(Included by Provisional Measure No. 869 of 2018)
Article 55-F. The provisions of art. 6 of Law No. 12,813, of May 16, 2013 .
(Included by Provisional Measure No. 869 of 2018)
Single paragraph. Violation of the provisions of the caput characterizes an act of administrative improbity.
(Included by Provisional Measure No. 869 of 2018)
Article 55-G. Act of the President of the Republic will provide for ANPD's regimental structure.
(Included by Provisional Measure No. 869 of 2018)
Single paragraph. Until the date of entry into force of its regimental structure, ANPD will receive technical and administrative support from the Civil House of the Presidency of the Republic for the exercise of its activities.
(Included
by Provisional Measure No. 869 of 2018)
Article 55-H. The positions on commission and the functions of trust of ANPD will be reallocated from other organs and entities of the federal Executive Power.
(Included by Provisional Measure No. 869 of 2018)
Article 55-I. The occupants of positions in commission and functions of trust of ANPD will be appointed by the Board of Directors and appointed or appointed by the Chief Executive Officer.
(Included by Provisional Measure No.
869 of 2018)
Article 55-J. ANPD is responsible for:
(Included by Provisional Measure No. 869 of 2018)
I - ensure the protection of personal data;
(Included by Provisional Measure No. 869 of 2018)
II - edit rules and procedures on the protection of personal data;
(Included by Provisional Measure No. 869 of 2018)
III - resolve, at the administrative level, on the interpretation of this Law, its powers and omissions;
(Included by Provisional Measure No. 869 of 2018)
IV - request information, at any time, from the controllers and operators of personal data that carry out personal data processing operations;
(Included by Provisional Measure No. 869 of 2018)
V - implement simplified mechanisms, including electronically, for the registration of complaints about the processing of personal data in breach of this Law;
(Included by Provisional Measure No. 869,
of 2018)
VI - inspect and apply sanctions in the event of data processing carried out in breach of the law, through an administrative process that ensures the adversary system, full defense and the right to appeal;
(Included by Provisional Measure No. 869 of 2018)
(Included by Provisional Measure No. 869 of 2018)
Page 2 VII - communicate to the competent authorities the criminal offenses of which it becomes aware;
VIII - communicate to the internal control bodies the non-compliance with the provisions of this Law practiced by bodies and entities of the federal public administration;
(Included by Provisional Measure No. 869 of 2018)
IX - to disseminate in society the knowledge about the norms and public policies for the protection of personal data and about security measures;
(Included by Provisional Measure No. 869 of 2018)
X - to encourage the adoption of standards for services and products that facilitate the exercise of control and protection of the holders over their personal data, considering the specifics of the activities and the size of the
controllers;
(Included by Provisional Measure No. 869 of 2018)
XI - to prepare studies on national and international practices for the protection of personal data and privacy;
(Included by Provisional Measure No. 869 of 2018)
XII - promote cooperation actions with personal data protection authorities from other countries, of an international or transnational nature;
(Included by Provisional Measure No. 869 of 2018)
XIII – carry out public consultations to gather suggestions on topics of relevant public interest in ANPD's area of ​action;
(Included by Provisional Measure No. 869 of 2018)
XIV - to carry out, prior to issuing resolutions, the hearing of public administration entities or bodies responsible for regulating specific sectors of economic activity;
(Included by
Provisional Measure No. 869 of 2018)
XV - liaise with public regulatory authorities to exercise their powers in specific sectors of economic and governmental activities subject to regulation; and
(Included by the Provisional Measure
No. 869 of 2018)
XVI - prepare annual management reports on its activities.
(Included by Provisional Measure No. 869 of 2018)
§ 1 ANPD, when issuing its rules, must observe the minimum intervention requirement, ensuring the foundations and principles provided for in this Law and the provisions of art. 170 of the Constitution.
(Included by
Provisional Measure No. 869 of 2018)
§ 2 ANPD and the public bodies and entities responsible for the regulation of specific sectors of economic and governmental activity must coordinate their activities, in the corresponding spheres of action, with
aimed at ensuring the fulfillment of its duties with the greatest efficiency and promoting the proper functioning of the regulated sectors, in accordance with specific legislation, and the processing of personal data, in the form of this
Law.
(Included by Provisional Measure No. 869 of 2018)
§ 3 ANPD will maintain a permanent communication forum, including through technical cooperation, with public administration bodies and entities that are responsible for regulating specific sectors of the activity
economic and governmental, in order to facilitate the regulatory, inspection and punitive powers of ANPD.
(Included by Provisional Measure No. 869 of 2018)
§ 4 In the exercise of the powers referred to in the caput , the competent authority shall ensure the preservation of business secrecy and the secrecy of information, under the terms of the law, under penalty of liability.
(Included by Provisional Measure No. 869 of 2018)
§ 5 Complaints collected in accordance with the provisions of item V of the caput may be analyzed in an aggregated manner and any measures arising therefrom may be adopted in a standardized manner.
(Included
by Provisional Measure No. 869 of 2018)
Article 55-K. The application of the sanctions provided for in this Law is exclusively the responsibility of ANPD, whose other powers will prevail, with regard to the protection of personal data, over the related powers of other
entities or bodies of public administration.
(Included by Provisional Measure No. 869 of 2018)
Single paragraph. ANPD will articulate its activities with the National Consumer Defense System of the Ministry of Justice and with other bodies and entities with sanctioning and regulatory powers related to the issue of
protection of personal data, and will be the central body for the interpretation of this Law and the establishment of norms and guidelines for its implementation.
(Included by Provisional Measure No. 869 of 2018)
Article 55-A. The National Data Protection Authority (ANPD), a federal public administration body, member of the Presidency of the Republic, was created without any increase in expenditure.

(Included by Law No. 13.853, of

2019)
§ 1 The legal nature of ANPD is transitory and may be transformed by the Executive Branch into an indirect federal public administration entity, subject to a special autarchic regime and linked to the Presidency of the
Republic.
(Included by Law No. 13.853 of 2019)
§ 2 The assessment regarding the transformation provided for in § 1 of this article shall take place within 2 (two) years from the date of entry into force of the ANPD regimental structure.

(Included by Law No. 13.853 of 2019)

§ 3 The provision of positions and functions necessary for the creation and performance of ANPD is subject to express physical and financial authorization in the annual budget law and permission in the guidelines law
budget.
(Included by Law No. 13.853 of 2019)
Article 55-B. Technical and decision-making autonomy is guaranteed to ANPD.
Article 55-C. ANPD is composed of:

(Included by Law No. 13.853 of 2019)

(Included by Law No. 13.853 of 2019)

I - Board of Directors, the highest management body;

(Included by Law No. 13.853 of 2019)

II - National Council for the Protection of Personal Data and Privacy;
III - Internal Affairs;
IV - Ombudsman;

(Included by Law No. 13.853 of 2019)

(Included by Law No. 13.853 of 2019)
(Included by Law No. 13.853 of 2019)

V - own legal advisory body; and

(Included by Law No. 13.853 of 2019)

VI - administrative units and specialized units necessary for the application of the provisions of this Law.

(Included by Law No. 13.853 of 2019)

Article 55-D. ANPD's Board of Directors will be composed of 5 (five) directors, including the Chief Executive Officer.

(Included by Law No. 13.853 of 2019)

§ 1 The members of the ANPD Board of Directors will be chosen by the President of the Republic and appointed by him, after approval by the Federal Senate, under the terms of item 'f' of item III of art. 52 of the Federal Constitution,
and will occupy a position in a committee of the Superior Management and Advisory Group - DAS, at least at level 5.
(Included by Law No. 13.853 of 2019)
§ 2 The members of the Board of Directors will be chosen from among Brazilians who have an unblemished reputation, higher education level and high standing in the field of specialty of the positions for which they will be
appointed.
(Included by Law No. 13.853 of 2019)
§ 3 The term of office of the members of the Board of Directors shall be 4 (four) years.

(Included by Law No. 13.853 of 2019)

§ 4 The terms of office of the first appointed members of the Board of Directors shall be 2 (two), 3 (three), 4 (four), 5 (five) and 6 (six) years, as established in the appointment.
13,853 of 2019)

(Included by Law No.

§ 5 In the event of a vacancy in the position during the term of office of a member of the Board of Directors, the remaining term will be completed by the successor.

(Included by Law No. 13.853 of 2019)

Article 55-E. The members of the Board of Directors will only lose their positions as a result of resignation, unappealable court conviction or penalty of dismissal resulting from a disciplinary administrative proceeding.
(Included by Law No. 13.853 of 2019)
§ 1 Under the caput of this article, it is incumbent upon the Minister of State, Head of the Civil House of the Presidency of the Republic, to initiate the disciplinary administrative proceeding, which will be conducted by a special commission constituted by
stable federal civil servants. (Included by Law No. 13.853 of 2019)
§ 2 It is incumbent upon the President of the Republic to determine preventive removal, only when so recommended by the special commission referred to in § 1 of this article, and to deliver the judgment.
No. 13.853 of 2019)
Article 55-F. The provisions of art. 6 of Law No. 12,813, of May 16, 2013 .

(Included by Law

(Included by Law No. 13.853 of 2019)

Single paragraph. Violation of the provisions of the caput of this article characterizes an act of administrative improbity.
Article 55-G. Act of the President of the Republic will provide for ANPD's regimental structure.

(Included by Law No. 13.853 of 2019)
(Included by Law No. 13.853 of 2019)

§ 1 Until the date of entry into force of its regimental structure, ANPD will receive technical and administrative support from the Civil House of the Presidency of the Republic for the exercise of its activities.
13,853 of 2019)
§ 2 The Board of Directors will dispose of ANPD's internal regulations.

(Included by Law No.

(Included by Law No. 13.853 of 2019)

Article 55-H. The positions on commission and the functions of trust of ANPD will be reallocated from other organs and entities of the federal Executive Power.

(Included by Law No. 13.853 of 2019)

Article 55-I. The occupants of positions in commission and functions of trust of ANPD will be appointed by the Board of Directors and appointed or appointed by the Chief Executive Officer.
Article 55-J. ANPD is responsible for:

(Included by Law No. 13.853 of 2019)

I - ensure the protection of personal data, under the terms of the legislation;

Law;

(Included by Law No. 13.853 of 2019)

(Included by Law No. 13.853 of 2019)

II - ensure the observance of commercial and industrial secrets, observing the protection of personal data and the confidentiality of information when protected by law or when the breach of confidentiality violates the foundations of art. 2nd of this
(Included by Law No. 13.853 of 2019)
III - prepare guidelines for the National Policy for the Protection of Personal Data and Privacy;

(Included by Law No. 13.853 of 2019)

IV - inspect and apply sanctions in the event of data processing carried out in breach of the law, through an administrative process that ensures the adversary system, full defense and the right to appeal;
(Included by Law No. 13.853 of 2019)
V - to consider petitions from the holder against the controller after the holder has proven the presentation of a claim to the controller that has not been resolved within the period established by regulation;
of 2019)
VI - promote in the population the knowledge of the norms and public policies on the protection of personal data and security measures;

(Included by Law No. 13,853,

(Included by Law No. 13.853 of 2019)

VII - promote and prepare studies on national and international practices for the protection of personal data and privacy;

(Included by Law No. 13.853 of 2019)

VIII - to encourage the adoption of standards for services and products that facilitate the exercise of control by the holders over their personal data, which should take into account the specifics of the activities and the size
of those responsible;
(Included by Law No. 13.853 of 2019)
IX - promote cooperation actions with personal data protection authorities from other countries, of an international or transnational nature;

(Included by Law No. 13.853 of 2019)

X - to provide for the forms of publicity of operations for processing personal data, respecting commercial and industrial secrets;

(Included by Law No. 13.853 of 2019)

XI - request, at any time, public authorities to carry out personal data processing operations specific information on the scope, nature of the data and other details of the processing
carried out, with the possibility of issuing a complementary technical opinion to ensure compliance with this Law;
(Included by Law No. 13.853 of 2019)
XII - prepare annual management reports about its activities;

(Included by Law No. 13.853 of 2019)

XIII - edit regulations and procedures on the protection of personal data and privacy, as well as on reports on the impact on the protection of personal data for cases where the treatment represents a high risk to
guarantee of the general principles of personal data protection provided for in this Law;
(Included by Law No. 13.853 of 2019)
XIV - listen to treatment agents and society in matters of relevant interest and report on their activities and planning;

(Included by Law No. 13.853 of 2019)

XV - collect and apply its revenues and publish, in the management report referred to in item XII of the caput of this article, the details of its revenues and expenses;

(Included by Law No. 13.853 of 2019)

XVI - carry out audits, or determine their performance, within the scope of the inspection activity referred to in item IV and with due observance of the provisions of item II of the caput of this article, on the processing of data
personnel carried out by the treatment agents, including the government;
(Included by Law No. 13.853 of 2019)
XVII - enter into, at any time, a commitment with processing agents to eliminate irregularities, legal uncertainty or contentious situations in the context of administrative proceedings, in accordance with the provisions of
Decree-Law No. 4,657, of September 4, 1942;
(Included by Law No. 13.853 of 2019)
XVIII - edit simplified and differentiated rules, guidelines and procedures, including with regard to deadlines, for micro and small businesses, as well as business initiatives of an incremental nature
or disruptive that self-declare startups or innovation companies, may comply with this Law;
(Included by Law No. 13.853 of 2019)
XIX - to ensure that the processing of elderly data is carried out in a simple, clear, accessible and appropriate way for their understanding, under the terms of this Law and Law No. 10,741, of October 1, 2003 (Statute of
Elderly) ;
(Included by Law No. 13.853 of 2019)
XX - resolve, in the administrative sphere, in a terminative nature, on the interpretation of this Law, its powers and omissions;

(Included by Law No. 13.853 of 2019)

XXI - communicate to the competent authorities the criminal offenses of which it becomes aware;

(Included by Law No. 13.853 of 2019)

XXII - notify the internal control bodies of non-compliance with the provisions of this Law by bodies and entities of the federal public administration;

(Included by Law No. 13.853 of 2019)

XXIII - liaise with public regulatory authorities to exercise their powers in specific sectors of economic and governmental activities subject to regulation; and

(Included by Law No. 13.853, of

XXIV - implement simplified mechanisms, including by electronic means, for the registration of complaints about the processing of personal data in non-compliance with this Law.

(Included by Law No. 13.853, of

2019)

2019)
§ 1 When imposing administrative constraints on the processing of personal data by a private processing agent, whether they are limits, charges or constraints, ANPD must observe the minimum intervention requirement,
ensured the foundations, principles and rights of the holders provided for in art. 170 of the Federal Constitution and in this Law.
(Included by Law No. 13.853 of 2019)
§ 2 The regulations and rules published by ANPD must be preceded by public consultation and hearing, as well as regulatory impact analyses.

(Included by Law No. 13.853 of 2019)

§ 3 ANPD and the public bodies and entities responsible for the regulation of specific sectors of economic and governmental activity must coordinate their activities, in the corresponding spheres of action, with
aimed at ensuring the fulfillment of its duties with the greatest efficiency and promoting the proper functioning of the regulated sectors, in accordance with specific legislation, and the processing of personal data, in the form of this
Law.
(Included by Law No. 13.853 of 2019)
§ 4 ANPD will maintain a permanent communication forum, including through technical cooperation, with public administration bodies and entities responsible for regulating specific sectors of the activity
economic and governmental, in order to facilitate the regulatory, inspection and punitive powers of ANPD.
(Included by Law No. 13.853 of 2019)
§ 5 In the exercise of the powers referred to in the caput of this article, the competent authority shall ensure the preservation of business secrecy and the secrecy of information, under the terms of the law.
13,853 of 2019)

(Included by Law No.

§ 6 Complaints collected in accordance with the provisions of item V of the main section of this article may be analyzed in an aggregated manner, and any measures arising therefrom may be adopted in an aggregate manner.
standardized.
(Included by Law No. 13.853 of 2019)
Article 55-K. The application of the sanctions provided for in this Law is solely the responsibility of ANPD, and its powers will prevail, with regard to the protection of personal data, over the related powers of other
entities or bodies of public administration.
(Included by Law No. 13.853 of 2019)
Single paragraph. ANPD will articulate its activities with other bodies and entities with sanctioning and regulatory powers related to the subject of personal data protection and will be the central body for the interpretation of this Law and
setting standards and guidelines for its implementation.
(Included by Law No. 13.853 of 2019)
Article 55-L. The following constitute ANPD's revenues:

(Included by Law No. 13.853 of 2019)

I - the appropriations, consigned in the general budget of the Federal Government, special credits, additional credits, transfers and transfers granted to it;
II - donations, legacies, grants and other resources allocated to it;

(Included by Law No. 13.853 of 2019)

III - the amounts calculated in the sale or rental of movable and immovable property owned by it;

(Included by Law No. 13.853 of 2019)

IV - the amounts calculated in investments in the financial market of the revenues provided for in this article;
V - (VETOED);

(Included by Law No. 13.853 of 2019)

(Included by Law No. 13.853 of 2019)

(Included by Law No. 13.853 of 2019)

VI - resources arising from agreements, agreements or contracts entered into with entities, bodies or companies, public or private, national or international;
VII - proceeds from the sale of publications, technical material, data and information, including for purposes of public bidding.

(Included by Law No. 13.853 of 2019)
(Included by Law No. 13.853 of 2019)

Art. 56. (VETOED).
Art. 5 7. (VETOED).
Section II
From the National Council for the Protection of Personal Data and Privacy
Art. 58. (VETOED).
Art. 58-A. The National Council for the Protection of Personal Data and Privacy will be composed of twenty-three representatives, alternate holders, of the following bodies:

(Included by Provisional Measure No. 869, of

I - six from the federal executive branch;
(Included by Provisional Measure No. 869 of 2018)
II - one from the Federal Senate;
(Included by Provisional Measure No. 869 of 2018)
III - one from the Chamber of Deputies;
(Included by Provisional Measure No. 869 of 2018)
IV - one from the National Council of Justice;
(Included by Provisional Measure No. 869 of 2018)
V - one from the National Council of the Public Ministry;
(Included by Provisional Measure No. 869 of 2018)
VI - one of the Brazilian Internet Steering Committee;
(Included by Provisional Measure No. 869 of 2018)
VII - four from civil society entities with proven performance in the protection of personal data;
(Included by Provisional Measure No. 869 of 2018)
VIII - four from scientific, technological and innovation institutions; and
(Included by Provisional Measure No. 869 of 2018)
IX - four from entities representing the business sector related to the area of ​personal data processing.
(Included by Provisional Measure No. 869 of 2018)
§ 1 The representatives will be appointed by the President of the Republic.
(Included by Provisional Measure No. 869 of 2018)
§ 2 The representatives referred to in items I to VI of the caput and their alternates shall be appointed by the holders of the respective bodies and entities of the public administration.

(Included by Provisional Measure No. 869, of

2018)

2018)
§ 3 The representatives referred to in items VII, VIII and IX of the caput and their alternates:
(Included by Provisional Measure No. 869 of 2018)
I - will be indicated in the form of a regulation;
(Included by Provisional Measure No. 869 of 2018)
II - will have a term of office of two years, one reappointment being permitted; and
(Included by Provisional Measure No. 869 of 2018)
III - cannot be members of the Internet Steering Committee in Brazil.
(Included by Provisional Measure No. 869 of 2018)
§ 4 Participation in the National Council for the Protection of Personal Data and Privacy will be considered as a provision of relevant public service, without remuneration.
Art. 58-B. It is incumbent upon the National Council for the Protection of Personal Data and Privacy:
(Included by Provisional Measure No. 869 of 2018)
I - to propose strategic guidelines and provide subsidies for the preparation of the National Policy for the Protection of Personal Data and Privacy and for ANPD's performance;

(Included by Provisional Measure No. 869 of 2018)
(Included by Provisional Measure No. 869, of

2018)
II - prepare annual evaluation reports on the execution of the actions of the National Policy for the Protection of Personal Data and Privacy;
III - suggest actions to be taken by ANPD;
(Included by Provisional Measure No. 869 of 2018)
IV - prepare studies and hold debates and public hearings on the protection of personal data and privacy; and
V - disseminate knowledge about the protection of personal data and privacy to the general population.

(Included by Provisional Measure No. 869 of 2018)
(Included by Provisional Measure No. 869 of 2018)
(Included by Provisional Measure No. 869 of 2018)

Art. 58-A. The National Council for the Protection of Personal Data and Privacy will be composed of 23 (twenty-three) representatives, holders and alternates, from the following bodies:
I - 5 (five) of the Federal Executive Branch;
II - 1 (one) from the Federal Senate;

(Included by Law No. 13.853 of 2019)

(Included by Law No. 13.853 of 2019)
(Included by Law No. 13.853 of 2019)

III - 1 (one) from the Chamber of Deputies;
IV - 1 (one) from the National Council of Justice;

(Included by Law No. 13.853 of 2019)
(Included by Law No. 13.853 of 2019)

V - 1 (one) from the National Council of the Public Ministry;

(Included by Law No. 13.853 of 2019)

VI - 1 (one) of the Brazilian Internet Steering Committee;

(Included by Law No. 13.853 of 2019)

VII - 3 (three) from civil society entities with activities related to the protection of personal data;
VIII - 3 (three) from scientific, technological and innovation institutions;

(Included by Law No. 13.853 of 2019)
(Included by Law No. 13.853 of 2019)

IX - 3 (three) of union confederations representing the economic categories of the productive sector;

(Included by Law No. 13.853 of 2019)

X - 2 (two) from entities representing the business sector related to the area of ​personal data processing; and
XI - 2 (two) from entities representing the labor sector.

(Included by Law No. 13.853 of 2019)

(Included by Law No. 13.853 of 2019)

§ 1 The representatives will be appointed by an act of the President of the Republic, delegation being allowed.

(Included by Law No. 13.853 of 2019)

§ 2 The representatives referred to in items I, II, III, IV, V and VI of the caput of this article and their alternates will be appointed by the heads of the respective bodies and entities of the public administration.
13,853 of 2019)
§ 3 The representatives referred to in items VII, VIII, IX, X and XI of the caput of this article and their alternates:
I - will be indicated in the form of a regulation;

(Included by Law No.

(Included by Law No. 13.853 of 2019)

(Included by Law No. 13.853 of 2019)

II - cannot be members of the Internet Steering Committee in Brazil;

(Included by Law No. 13.853 of 2019)

III - will have a term of office of 2 (two) years, with 1 (one) renewal allowed.

(Included by Law No. 13.853 of 2019)

§ 4 Participation in the National Council for the Protection of Personal Data and Privacy will be considered as a provision of relevant public service, without remuneration.
Art. 58-B. It is incumbent upon the National Council for the Protection of Personal Data and Privacy:

(Included by Law No. 13.853 of 2019)

(Included by Law No. 13.853 of 2019)

I - to propose strategic guidelines and provide subsidies for the preparation of the National Policy for the Protection of Personal Data and Privacy and for ANPD's performance;
II - prepare annual evaluation reports on the execution of the actions of the National Policy for the Protection of Personal Data and Privacy;
III - suggest actions to be taken by ANPD;

(Included by Law No. 13.853 of 2019)
(Included by Law No. 13.853 of 2019)

(Included by Law No. 13.853 of 2019)

IV - prepare studies and hold debates and public hearings on the protection of personal data and privacy; and

(Included by Law No. 13.853 of 2019)

V - disseminate knowledge about the protection of personal data and privacy to the population.

(Included by Law No. 13.853 of 2019)

Art. 59. (VETOED).
CHAPTER X
FINAL AND TRANSITIONAL PROVISIONS
Art. 60. Law No. 12.965, of April 23, 2014 (Marco Civil da Internet) , becomes effective with the following changes: Effectiveness
"Art. 7th ....................................................... ....................
........................................................ ..........................................
X - definitive deletion of personal data that you have provided to a certain internet application, at your request, at the end of the relationship between the parties, except in the cases of custody
mandatory registration provided for in this Law and in that which provides for the protection of personal data;
........................................................ ...............................” (NR)
"Art. 16. .................................................. ....................
........................................................ ..........................................
II - personal data that are excessive in relation to the purpose for which consent was given by its holder, except in the cases provided for in the Law providing for data protection
personal." (NR)
Article 61. The foreign company will be notified and notified of all procedural acts provided for in this Law, regardless of power of attorney or contractual or statutory provision, in the person of the agent or representative
or person responsible for its branch, agency, branch, establishment or office installed in Brazil.
Art. 62. The national authority and the National Institute of Educational Studies and Research Anísio Teixeira (Inep), within the scope of their competences, will issue specific regulations for access to data processed by the Union
to comply with the provisions of § 2 of art. 9 of Law No. 9,394, of December 20, 1996 (Law of Guidelines and Bases of National Education) , and those referring to the National System of Evaluation of Higher Education (Sinaes),
referred to in Law No. 10,861, of April 14, 2004 .
(Revoked by Provisional Measure No. 869 of 2018)
Art. 62. The national authority and the National Institute of Educational Studies and Research Anísio Teixeira (Inep), within the scope of their competences, will issue specific regulations for access to data processed by the Union
to comply with the provisions of § 2 of art. 9 of Law No. 9,394, of December 20, 1996 (Law of Guidelines and Bases of National Education) , and those referring to the National System of Evaluation of Higher Education (Sinaes),
referred to in Law No. 10,861, of April 14, 2004 .
Art. 63. The national authority shall establish rules on the progressive adaptation of databases created up to the date of entry into force of this Law, considering the complexity of the processing operations and the
nature of the data.
Art. 64. The rights and principles expressed in this Law do not exclude others provided for in the Brazilian legal system related to the matter or in international treaties to which the Federative Republic of Brazil is a party.

Art. 65. This Law enters into force after 18 (eighteen) months of its official publication.
Art. 65. This Law comes into force:
(Wording given by Provisional Measure No. 869 of 2018)
I - as to art. 55-A, art. 55-B, art. 55-C, art. 55-D, art. 55-E, art. 55-F, art. 55-G, art. 55-H, art. 55-I, art. 55-J, art. 55-K, art. 58-A and art. 58-B, on December 28, 2018; and
869 of 2018)
II - twenty-four months after the date of publication for other articles.
(Included by Provisional Measure No. 869 of 2018)

(Included by Provisional Measure No.

Art. 65. This Law comes into force: (Wording given by Law No. 13.853, of 2019)
I - on December 28, 2018, as to articles 55-A, 55-B, 55-C, 55-D, 55-E, 55-F, 55-G, 55-H, 55-I, 55-J, 55-K, 55-L, 58- A and 58-B; and
IA - August 1, 2021, as to arts. 52, 53 and 54;

(Included by Law No. 13.853 of 2019)

(Included by Law No. 14.010 of 2020)

II - 24 (twenty four) months after the date of publication, as for the other articles.
II - on May 3, 2021, as to the other articles. (Wording given by Provisional Measure No. 959 of 2020 )

(Included by Law No. 13.853 of 2019)
(Converted into Law No. 14,058 of 2020)

II - 24 (twenty four) months after the date of publication, as for the other articles.

(Included by Law No. 13.853 of 2019)

Brasília, August 14, 2018; 197th of Independence and 130th of the Republic.
MICHEL FEAR
Torquato Garden
Aloysio Nunes Ferreira Filho
Eduardo Refinetti Guardia
Esteves Pedro Colnago Junior
Gilberto Magalhães Occhi
Gilberto Kassab
Wagner de Campos Rosario
Gustavo do Vale Rocha
Ilan Goldfajn
Raul Jungmann
Elisha Padilha
This text does not replace the one published in the DOU of 8.15.2018, and partially republished on 8.15.2018 - Extra edition
*

