XII – the partial or total prohibition of activities related to data processing. (Including by Law no. 13,853/2019)§1 Sanctions are applied according to an administrative procedure that offers the possibility of a full defense, in a progressive, punctual or cumulative manner, in accordance with the particularities of the case by case and taking into account the following parameters and criteria: Data Protection Controller (“DSB”): person designated by the controller or subcontractor to serve as a communication channel between the data subjects and the ANPD. VII – the rights of the data subject, explicitly mentioning the rights provided for in Article 18 of this Law. (e) the objective is to establish a relationship of trust with the person concerned through transparent exploitation and to ensure mechanisms for the participation of the data subject; Personal data collected on Brazilian territory is considered personal data that is located on Brazilian territory at the time of collection. The following data processing activities are excluded from the application of the DLGP: finally, the controllers are liable for damages caused by their data processing activities in the event of a breach of the LGPD. After being informed of the breach, the data protection authority may order the data controller to alert the media or take other measures to mitigate the adverse effects of the incident. §1 Data collected on the national territory are those of which the data subject is in the national territory at the time of collection. Appointment of a Data Protection Officer (DSB) – required in accordance with Art.

41. Under the LGPD, it is mandatory for all data controllers to appoint a DSB, who is then responsible for the activities mentioned here. At present, the law does not require the DSB to be physically established in Brazil and also leaves controllers the possibility to appoint external individual advisors as DSBs. A company`s ability to process personal data such as the GDPR requires a legal basis for processing. The LGPD contains the same 6 legal bases for processing as the GDPR, but also contains four additional legal bases for processing: protection of life or physical security; health protection in procedures implemented by healthcare professionals or healthcare institutions (including certain sensitive personal data); where necessary for pharmaceutical and healthcare relating to data portability and transactions in favour of data subjects; or as required to protect credit. (Art. 7 I-X.). Article 18. With regard to the data of the data subject processed by the controller, the data subject[5] has the right, at any time and upon request, to request the controller: most experts recommend concluding data processing agreements so that all parties concerned understand their respective responsibilities. What responsibilities should such a data processing agreement cover? All this, from the collection to the use of data and its protection. §2 In the absence of an offer of information pursuant to Article 1 of this Article due to commercial and industrial secrecy, the national authority may carry out an examination in order to verify the discriminatory aspects of the automated processing of personal data.

International data transfer: a transfer of personal data to a foreign country or to an international entity of which the country is a member. II – although they have processed personal data attributed to them, there has been no violation of data protection legislation; or 9 The data subject has the right to benefit from easier access to information on the processing of his or her data, which is widely provided in a clear, adequate and purported manner, in particular with regard to the characteristics provided for in the Regulation on compliance with the principle of free access: credit protection as a legal basis for data processing is indeed a substantial derogation from the GDPR. . . .