LGPD
LGPD
What is the LGPD?
Law 13.709/2018, also known as the General Data Protection Law, or LGPD, was enacted on August 14, 2018, and came into effect on September 18, 2020. It establishes rules for the use, collection, storage, and sharing of user data by public and private companies. Its main objective is to guarantee greater security, privacy, and transparency in the use of personal information. With the new legislation, users will have the right to consult, free of charge, what data companies hold about them, how they store it, and even request its removal from the system.
What is personal data?
Personal data includes all information that allows the direct or indirect identification of a living individual. Examples of personal data include: name, ID card number, CPF (Brazilian tax identification number), gender, date and place of birth, telephone number, home address, GPS location, photograph, health records, bank card information, income, payment history, consumption habits, leisure preferences; IP address (Internet Protocol) and cookies, among others.
What is sensitive data?
Sensitive personal data is data that could, in some way, lead to discrimination against the data subject, which is why it must be treated with even greater care. This includes data about children and adolescents; and "sensitive" data, which reveals racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, genetic, biometric, and health or sex life information.
WHO ARE THE DATA PROCESSING AGENTS AND MAIN STAKEHOLDERS?
1 - DATA SUBJECT
This is the individual to whom the personal data refers. For example, beneficiaries, dependents of beneficiaries, patients, employees, among others.
2 - CONTROLLER
This is the entity that makes decisions related to the processing of personal data, considering the purpose for which it was collected. The Controller can be an entity, a private or public company, a public body, or an individual.
3 - OPERATOR
This is the entity that carries out the treatment and processing of personal data as defined by the Controller. The Operator may only process data for the purpose and as defined by the Controller.
4 - DATA PROTECTION OFFICER (DPO)
This professional acts as a communication channel with data subjects, addressing their questions and complaints, and also liaises with the National Data Protection Authority (ANPD).
5 - NATIONAL DATA PROTECTION AUTHORITY (ANPD)
A body of the federal public administration responsible for ensuring, implementing, and overseeing compliance with the LGPD (Brazilian General Data Protection Law).
Data Subject Rights
Identity Validation
Your requests will be subject to identity validation (so that Leques Brasil can direct the processing of requests exclusively to the data subject).
Service
Leques Brasil emphasizes the possibility that your request may be legally rejected, either for formal reasons (such as the impossibility of verifying your identity) or legal reasons (such as a request to delete data whose maintenance is a free exercise of right by Leques Brasil). In the event that these requests cannot be fulfilled, Leques Brasil will provide you with reasonable justifications.
Exercise your rights
To exercise your rights as a data subject, click the DATA SUBJECT RIGHTS button.
WHAT ARE THE RIGHTS OF THE PERSONAL DATA SUBJECT?
The LGPD (Brazilian General Data Protection Law) guarantees several rights to the holders of personal data that must be respected by the Controller when processing this data. These rights may be exercised at any time upon request by the holder. See below what these rights are:
Confirmation and Access
Data subjects have the right to receive confirmation as to whether or not their personal data is being processed. They may also consult this data and additional information relating to the processing, such as sharing with other public or private entities.
Portability
Data subjects have the right to request the transfer of data to another service or product provider (Controller), subject to trade and industrial secrets.
Informed Consent
Data subjects must be given the right to refuse consent to the processing of their data, and must be informed of the consequences of such refusal.
Correction
The Controller must correct incomplete, inaccurate, or outdated personal data, as requested by data subjects.
Deletion of Data Processed with Consent
Data subjects may request the deletion of their personal data when processing depends on consent (except when processing is based on another legal basis provided for by the LGPD).
Revocation of Consent
Data subjects may request the revocation of their consent at any time, in accordance with the terms of the law.
Anonymization, Blocking, or Deletion of Unnecessary, Excessive, or Processed Data in Violation of the LGPD
Data subjects have the right to request that the Controller anonymize their data (de-identify them in such a way that it is no longer possible to ascertain the identity of the data subject), block, or delete it if it is considered excessive or unnecessary for the purpose for which it was collected or when the processing is in violation of the LGPD.
Sharing
Data subjects may request information about the sharing of their personal data with other entities, public or private, if it occurs.
Objection to Processing
Data subjects have the right to object to the processing of their personal data at any time, even in situations that do not depend on their consent, if they find that it is being carried out in violation of the LGPD.
Automated Decision Review
Some personal data processing may involve automated decisions, i.e., without human intervention. For processing subject to decisions based solely on automated processing, the data subject may request a review through non-automated means.