Services for Employees
Facebook-f Linkedin-in Youtube Instagram
REGISTER YOUR CURRICULUM

MENU

CADASTRE SEU CURRÍCULO
Policy
FAQs
ABOUT
THE GDPL
Policy
FAQs
ABOUT
THE GDPL

1 - What is the GDPL?

The General Data Protection Law, known as the Personal Data Act, was born to protect each individual’s data and changed the way organizations function and  operate towards rules on data collection, storage,  processing, and sharing.

2 – Who does the new General Personal Data Protection Law (GDPL) apply to?

A Lei se aplica a pessoas físicas e jurídicas de direito público e privado, que realizam o tratamento de dados, bem como às pessoas físicas que têm seus dados coletados, independente do meio (físico ou digital), do país da sede da pessoa jurídica ou do país onde estejam localizados os dados.

03 – What is personal data?

Any information that can lead to the identification of a person, either directly or indirectly (identified or identifiable), by reference to a name, an identification number or one or more specific elements of his or her physical, physiological, psychological, economic, cultural or social identity.

04 – What are sensible personal data?

These are personal data on racial or ethnic origin, religious conviction, political opinion, membership in a union or organization of a religious, philosophical or political  nature, data relating to health, life or sexual orientation, genetic or biometric data,  when linked to a natural person. =They are those that, if exposed or shared, can have an impact on personal and/or  professional life, such as data recorded by a hospital or doctor.

As they do not allow the identification of their respective Holder, the anonymized data are not subject to the application of the GDPL, except when there is  a reversal of the anonymization process to which such data were submitted.

05 – Does the GDPL apply only to the processing of personal data collected on the Internet?

No. The GDPL is applicable to any operation of processing personal data that has been collected within the Brazilian territory or that is intended to offer goods or services to people located in Brazil, regardless of whether these personal data have been collected offline or online, in physical or digital media.

06 – What is “data processing”?

It is the entire operation carried out from the collection, use, transmission, processing and archiving of data to its disposal.

07 – In which cases of personal data processing will the GDPL not be applied?

In which cases the processing of personal data is made:

A) By an individual, for private and non-commercial purposes, for example, to collect personal data of family members to assemble a genealogical tree;
B) For exclusively journalistic, artistic and academic purposes;
C) By the Government, in the case of public security, national defense, State security and investigation and repression activities of criminal offenses. Data originating and destined for other countries, which only transit through national territory, without any operation being carried out here, may not be subject to the application of the GDPL treatment and provided that the country of origin has a level of protection similar to that provided for in the GDPL.

08 – What are the main actors in the processing of personal data, according to the GDPL?

The main ones are the holder, the controller, the operator and the person in charge.

09 – When the purpose of the processing of personal data is achieved, is there the deletion of the data?

The Controller is responsible for ensuring that personal data are eliminated after the end of its processing, within the scope and technical limits of the activities, authorized to be preserved for the following purposes: compliance with a legal or regulatory obligation by the Controller; study by research body; transfer to third parties and exclusive use of the Controller (anonymized data).

10 – Does the company keep a record of personal data processing operations?

The controller and the operator must keep a record of the personal data processing operations they carry out, especially when based on legitimate interest.

11 – Does the company provide a communication channel where the holder of the personal data has easy access to information about the processing of his/her data?

Yes, the company must hire a DPO to perform this function.

12 – Does the company provide a person in charge of the processing of personal data?

Sim, a empresa deverá contratar um DPO para desempenhar esta função.

13 – How should the Holder proceed when identifying the leak of his/her data?

The Holder may contact the Controller of the data responsible for the processing object of the incident (leakage), formally requesting the necessary corrections and controls. The DPO will be the contact in this situation and will be required to take the necessary actions.

14 – Who is the DPO? And why is he important?

O chamado Data Protection Officer (DPO) corresponde, na legislação brasileira, ao encarregado de dados. É o profissional que dentro de uma empresa, é o responsável por cuidar das questões referentes à proteção, evitando a vulnerabilidade dos dados da organização e de seus clientes.

15 – If the processing of personal data does not take place in accordance with the GDPL, who will be held responsible?

The Controller or the Operator is liable for damages arising from violation of the GDPL. The Data Controller may also be penalized if he provides any wrong guidance to the controller x operator x holder. The Operator will respond jointly with the Controller when it fails to comply with the GDPL or when it has not followed the instructions previously given by the Controller. The National Authority may send the person responsible a report with appropriate measures to terminate it

16 – What are the penalties that can be applied to those who violate the GDPL?

These are the following administrative sanctions, provided for in the new

law: I – Warning, with the indication of a deadline for the adoption of corrective measures;
II – Simple fine of up to 2% of the billing of the legal entity of private law, group or conglomerate in Brazil, in the
last financial year, excluding taxes limited to R$ 50,000,000.00, for infringement;
III – daily fine, observing the total limit referred to in the previous paragraph;
IV – Publicization of the infraction, after verification and confirmation;
V – Blocking of personal data to which the infringement relates until its regularization;
VI – Deletion of the personal data to which the infringement relates. The sanctions will be applied gradually, isolated or cumulatively, according to the peculiarities of
the concrete case and considering its severity and nature. In addition to administrative sanctions, the offender may also be held liable in court
for repercussions arising from non-compliance with the GDPL, individually or collectively.

As we can see, these penalties are pecuniary and also reputational, since the publicizing of a security incident can undermine
a company’s credibility. In addition, it is important to emphasize that the amounts arising from the application of pecuniary penalties do not directly benefit the data holder and will be allocated to the Federal Fund in Defense of Diffuse Rights.

Facebook-f Linkedin-in Youtube Instagram

+55 11 5525 2711

Avenida Adolfo Pinheiro, 1.001 – Santo Amaro – 04733-100 – São Paulo – SP

Copyright © 2025 METARH - All rights reserved.
LGPD
Botão Fechar
Verificado pela Leadster
Botão Fechar