Communication Channel for Service to Owners of ANPD Data

Doubts?

What is LGPD?

LGPD is a special law created to make sure that the owner may have better control over the treatment of respective personal data, establishing principles and rules that can be observed and followed by companies and corporations, both state and privately owned, in order to make sure of rights related to the protection of personal data.

Who inspects the compliance with the Law?

The inspection is the responsibility of the National Data Protection Agency (ANPD), an institution which is a subsidiary of the Brazilian President’s Office, and is responsible for surveillance of adherence to the Law, set guidelines and also apply sanctions in case of any irregularity. Other institutions may be connected to the inspection of adherence to the Law when applicable, as the Prosecution Office, to deal with the issue of citizens’ diffuse rights and other such issues.

Who is the ‘Owner’?

According to the terms of the Law, the natural person to whom the personal data being collected and treated actually refers.

Who is the Operator?

This is the natural or corporate person, publicly or privately owned, that carries out the treatment of personal data in the name of the controller. Any person hired by our services that carries out treatment in your name, acts in the role of Operator.

What is ‘personal data’?

This is any information related to a natural person as identified or identifiable (name, identity card – RG, taxpayer registration number – CPF, gender, place and date of birth, telephone, residential address, location on GPS, photograph, health records, bank card, income, payment records, consumer habits, leisure preferences, IP address (Internet Protocol) and cookies, among others.

What is ‘sensitive personal data’?

In the terms of the Law, sensitive personal data is any kind of personal data regarding racial or ethnic origin, religious beliefs, political opinions, participation in trade unions, data involving health or sex life, genetic or biometric data, when involving an individual person, or anything involving children or teenagers.

What does the treatment of such data involve?

Treatment of data is the operation carried out with personal data, including storage, collection, and treatment, among others.

In what cases of treatment of personal data is the law applied?

The LGPD is applicable to the operations of treatment of personal data collected in Brazilian territory, or that have the main purpose of offering goods and services to people located therein, regardless of whether the data has been collected off-line or online, through physical or digital means.

Shall the LGPD be applied to any kind of treatment of personal data?

Not in the case of treatment of personal data carried out by an individual person for private reasons; in the case of exclusively journalistic, academic or artistic purposes; or by the Government – in the case of public safety, national defense, security of the State, and any activities of investigation or repression of crime.

Can the treatment of sensitive personal data be performed?

Yes, provided consent has been granted as set out by Law; or when this is essential for compliance with legal or regulatory obligations by the controlling body; by Government authorities, when involving Government policies set out by Law or in regulations; studies conducted by research organizations; regular exercising of rights, including situations involving judicial, administrative and arbitral lawsuits; protection of life; guardianship in health situations; guaranteed protection against fraud, security of the owner.

What are the core principles of the LGPD?

The treatment of personal data by the Sabará Children’s Hospital shall be governed by the following principles:

1. Purpose: Treatment of the data exclusively for the purposes determined, that are explicit, legitimate, and informed prior to treatment. The data may not be treated later on for incompatible purposes.
2. Adequacy: Treatment of personal data in an appropriate manner that is relevant to the intended use of such data.
3. Need: Only treat personal data as necessary and in proportion to the goals of the business, and seek alternative forms to reach the same goals in other ways that are less invasive regarding the privacy of the owner of the personal data.
4. Free Access: Make it feasible for the owners to have facilitated and free-of-charge consultations about the method and duration of treatment of their personal data.
5. Quality of Data: Exactness, clarity, relevance and updating of personal data, according to need and for compliance with the purpose of the treatment.
6. Transparency: Provision of clear, precise and easily accessible information to the owners of the data, about treatment of their personal data (collection, purpose, storage, sharing of the data, and discarding of the personal data), while following the restrictions regarding commercial and industrial secrets.
7. Security: Protection of personal data, against unauthorized or illicit treatment, loss, destruction, or accidental damage, with the adoption of technical and organizational measures to safeguard the integrity, confidentiality and availability of personal data, and compliance with the security guidelines now effective as part of the Information Security Policy of the Sabará Children’s Hospital, the José Luiz Setúbal Foundation, and the PENSI Institute, during the whole life cycle of the personal data involved.
8. Prevention: Adoption of measures to prevent occurrence of damage resulting from treatment of personal data.
9. Non-Discrimination: The personal data must not be used for illicit, abusive or discriminatory purposes.
10. Responsibility and Accountability: Show the adoption of efficient measures that are able to prove compliance with standards for protection of personal data, and the efficiency of such measures.

Which rights can be requested by the data owners?

Here we should adhere to the rights of the data owner with regard to the personal data treated, including confirmation of existence of treatment, access to personal data, correction, revocation of consent, portability, anonymization, blockage, and elimination of personal data.

1. Correction and Updating: When the owner of the personal data requests correction or updating of personal data, before proceeding with the request, the authenticity of the person must be confirmed. This means that the IT and Business areas must make sure that the physical and digital means through which the data has been replicated and stored shall also be kept up to date.
2. Responses to requests made by the owners: The responses to the requests and orders as made by the owners of the personal data shall be made by carers who have been selected by the Sabará Children’s Hospital, and shall be governed by the Procedure for Responding to Owners’ Requests.
3. Health Data: The treatment of health data by Operators hired by Sabará Children’s Hospital shall mandatorily allow the owner to have the right to portability of data, when this is requested, or to see the financial and administrative transactions resulting from the use and provision of services.
4. Consent: Whenever treatment based on consent is necessary, this consent shall be obtained through free and informed statement of intention by the owner of the data, according to the purposes that have been informed for this treatment.
5. Revocation of Consent: The owner of the data may revoke consent, easily and free of charge, through the service channels of the Sabará Children’s Hospital, the José Luiz Setúbal Foundation, and the Pensi Institute, in which case all data treatment processed prior to revocation shall remain valid. The owner of the personal data shall be informed about the consequences of revocation of consent, in a simple, clear, and facilitated manner.
6. Free Access: Make it feasible for data owners to have facilitated and free-of-charge consultation about the form and duration of the treatment of their personal data.

In what situations does the Law allow treatment of personal data?

The treatment of sensitive personal data may only be made in the following cases:

1. When consent has been granted by the data owner or his/her person legally responsible, in a specific and highlighted manner, for specific purposes;
2. Compliance with legal or regulatory obligations;
3. Shared treatment of data as necessary for the execution, by Government authorities, of Government policies set out in laws or regulations;
4. Effectuation of studies by research institutions, with guaranteed, whenever possible, anonymization of sensitive personal data;
5. Regular exercising of rights, including those set in contract and in the case of judicial, administrative or arbitral processes;
6. Protection of life or physical invulnerability of the data owner or of a third party;
7. Guaranteed prevention of fraud and of security of the data owner, in the processes involving identification and authentication of files on electronic systems.

What is ‘consent’?

Consent is the free, informed and firm expression by which the data owner agrees with the treatment of their personal data for a set purpose. However, consent is one of the legal possibilities for treatment of data, not being mandatory or even prevalent when compared to the other cases of authorization for data treatment.

How is consent given in the case of Children and Adolescents?

In Article 14, the LGPD states that the treatment of personal data of children and adolescents must be done in their best interests. For treatment of data referring to children (aged up to 12 years old), this shall be done with specific and highlighted consent given by at least one of the parents or by the child’s legal person responsible. For this reason, the Sabará Children’s Hospital advises the owners of data as participants that they should register the data of their under-age dependents, and update, in the restricted area, such information so that they may give express consent for the treatment of data involving children, through a clear and objective statement to this effect, so that the terms of the Law may be followed. Data for children and adolescents may be collected without consent when this is necessary for protection of the child or adolescent, or for contacting the parents or the legal person responsible. In this case, they shall be used only once, without storage. Under no circumstances may the data be passed on to third parties without consent.

In cases of irregularities in data treatment, what shall the responsibility be like?

The responsibility shall be administrative or civil, as according to the terms set forth in Law No. 13,709/2018.

What is the Data Protection Officer (DPO)?

This is the person appointed by the controller and operator to be a communication channel between the controller, the owners of the data, and the ANPD, and has other assigned responsibilities, either assigned by Law or determined by the Controller.

Should the owner of the data be informed in the event of an incident?

In the event of a security incident that could cause harm to the owner of the data, then the LGPD sets out that the Controller should inform the owner of the data and the ANPD about the occurrence of this incident.

What is the ANPD?

This is the Brazilian National Data Protection Authority, a Federal Government institution that, with technical and decisory independence, and linked to the Brazilian Presidency, responsible for inspection, guaranteeing and guidance regarding the compliance with Law 13,709/2018.