On December 21, 2021, the Brazilian Data Protection Authority (ANPD) updated instructions on how and when data subjects can file a complaint against a data controller for possible violation of the their rights under the General Data Protection Law (LGPD). The LGPD is Brazil’s all-encompassing data protection law similar to the European Union’s GDPR. The LGPD imposes certain requirements on data processing agents (which include controllers and processors of data) to safeguard the data privacy rights of individuals (data subjects). The ANPD has the authority to impose administrative sanctions for LGPD violations.

Under the updated instructions, the data subject must first formally contact the controller to try to get their request(s) answered or addressed. If the controller fails to resolve the issue, the data subject can petition the ANPD to intercede. The petition has to be submitted online and the data subject must provide the data controller’s or processor’s contact information and a description of the situation, and submit proof that the data subject formally made a request to the controller and it was not addressed (or was not addressed timely). In exceptional circumstances the ANPD may accept anonymous petitions and/or a self-declaration that it was not possible to provide evidence, provided the identity of the complainant is not needed to investigate the facts and the information provided can be verified.

The ANPD will address a petition specifically only if the petition could potentially affect collective and broad interests. Otherwise, the ANPD will analyze aggregated requests and use the information to launch investigations, improve regulations and implement educational actions.

Takeaways

The LGPD applies to any processing of employees’ and customers’ personal data. If a company collects, uses, transfers, stores or otherwise processes personal data of employees or customers in or from Brazil, the LGPD applies to that company (and/or its local subsidiary).

Employers seeking to avoid or minimize the chances of such individuals’ filing a complaint against the company with the ANPD need to address data subject requests properly. To that end, employers should consider taking the following steps:

  • Ensure the Data Privacy Notice and Policy clearly state instructions on how a data subject can contact the company to exercise their rights (in addition to listing those rights);
  • Confirm that the contact listed in the Notice and in the Policy is a workable email address that is frequently checked by someone in the privacy team who is ready to start the process;
  • Have a workable plan in place for handling requests from data subjects that is organized, efficient and swift, as controllers have only 15 days to respond after the request is made;
  • Train employees to spot possible requests from data subjects and to forward them to the appropriate person immediately;
  • Thoroughly vet vendors to make sure they have the required structure to comply with the LGPD; and
  • Have data processing agreements with all vendors that include, among other provisions, clear instructions on giving the company immediate notice of data subject requests, and strong indemnity clauses.