CHAPTER IV
PROCESSING OF PERSONAL DATA BY PUBLIC AUTHORITIES
Section I
Rules
Art. 23.
Processing of personal data by legal entities of public law referred to
in sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the
“Brazilian Access to Information Law”), shall be done in fulfillment of its
public purpose, in benefit of the public interest, for the purpose of performing
legal capabilities or discharging legal attributions of the public service,
provided that:
I – they communicate the situations in which, in the exercise of their regulatory capacities, they carry out the processing of personal data, supplying clear and up-to-date information about the legal base, purpose, procedures and practices used to carry out these activities in an easily accessible media, preferably on their websites;
II – (vetoed); and
III – a data protection officer is appointed when carrying out personal data processing operations, in accordance with Art. 39 of this Law; and (New Wording Given by Law No. 13,853/2019)
IV – (vetoed). (Included by Law No. 13,853/2019)
§1 The national authority may provide for the forms of disclosing information on data processing operations.
§2 The provisions of this Law do not exempt the legal entities mentioned in the lead sentence of this article from establishing the authorities as provided in Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”).
§3 The time periods and procedures for exercising data subjects’ rights before the public authorities shall obey the provisions of specific legislation, especially the provisions stated in Law No. 9,507, of November 12, 1997 (the “Brazilian Habeas Data Law”), of Law No. 9,784, of January 29, 1999 (the “Federal Administrative Procedure Law”), and of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”).
§4 Notarial and registry services, carried out under private nature by delegation of public authorities, shall receive the same treatment given to legal entities as provided in the lead sentence of this article, in accordance with the terms of this Law.
§5 Notarial and registry bodies shall provide access to data by electronic means to the public administration in order to fulfill the purposes mentioned in the lead sentence of this article.
Art. 24.
Public companies and mixed-capital companies that operate in the competing market, subject to the provisions of Art. 173 of the Federal Constitution, shall receive the same treatment given to private legal entities of private law, under the terms of this Law.
Sole paragraph. Public and mixed-capital companies, when they are carrying out
public policies and within the scope of their execution, shall receive the same
treatment given to the bodies and entities of the public authorities, under the
terms of this Chapter.
Art. 25.
Data shall be kept in an interoperable format and structured for shared
use intended for the execution of public policies, provision of public services,
decentralization of public activity, dissemination and access to information by
the general public.
Art. 26.
The shared use of personal data by public authorities shall fulfill the
specific purposes of execution of public policies and legal attributions by
agencies and public entities, subject to the principles of personal data
protection listed in Art. 6 of this Law.
§1 It is forbidden for public authorities to transfer to private entities
personal data contained in databases to which they have access, except:
I – in cases of decentralized execution of public activity that requires transfer, exclusively for this specific and distinct purpose, subject to the provisions of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”);
II – (vetoed);
III – in cases in which the data are publicly accessible, subject to the provisions of this Law.
IV – when there is a legal provision or the transfer is grounded on contracts, agreements or similar instruments; or (Included by Law No. 13,853/2019)
V – in the event that the transfer of data is exclusively intended to prevent fraud and irregularities, or to protect and safeguard the data subject’s security and integrity, provided that processing is forbidden to be carried out for other purposes.” (Included by Law No. 13,853/2019)
§2 Contracts and agreements as mentioned in §1 of this article shall be
communicated to the national authority.
Art. 27.
Communication or shared use of personal data from a legal entity of
public law to a legal entity of private law shall be communicated to the
national authority and shall rely on the consent of the data subject, except:
I – in situations in which consent is waived as provided in this Law;
II – when there is shared use of data, which will be given publicity pursuant to item I of the lead sentence of Art. 23 of this Law; or
III – in the exceptions contained in §1 of Art. 26 of this Law.
Sole paragraph. The information to be given to the national authority referred to in this article shall be subject to regulation.” (Included by Law No. 13,853/2019)
Art. 28. (vetoed)
Art. 29.
The national authority may request, at any time, for bodies and
entities of the Public Administration to carry out personal data processing
operations, the specific information on the scope and nature of the data and
other details of the processing performed and may issue complementary technical
report to ensure compliance with this Law.” (New Wording Given by Law No.
13,853/2019)
Art. 30.
The national authority may establish complementary rules for
communication or shared used of personal data activities.
Section II Accountability
Art. 31.
When there is an infringement of this Law as a result of personal data
processing by public agencies, the national authority may issue a statement with
applicable
measures to stop the violation.
Art. 32.
The national authority may request agents of the public authorities to publish impact reports on protection of personal data and may suggest the adoption of standards and good practices for processing personal data by the public authorities.