CHAPTER VI
PERSONAL DATA PROCESSING AGENTS
Section I
Controller and Processor
Art. 37.
The controller and the processor shall keep records of personal data
processing operations carried out by them, especially when based on legitimate
interest.
Art. 38.
The national authority may determine that the controller must prepare a
data protection impact assessment, which shall include personal data, sensitive
data, and refer to its data processing operations, pursuant to regulations,
subject to commercial and industrial secrecy.
Sole paragraph. Subject to the provisions of the lead sentence of this article,
the report
must contain at least a description of the types of data collected, the
methodology used for collection and for ensuring the security of the
information, and the analysis of the controller regarding the adopted measures,
safeguards and mechanisms of risk mitigation.
Art. 39.
The processor shall carry out the processing according to the
instructions provided by the controller, which shall verify the obedience of
her/his own instructions and of the rules applicable to the subject and the
situation at hand.
Art. 40.
The national authority may provide standards of interoperability for
purposes of portability, free access to data and security, as well as standards
for periods in which records on personal data must be kept, considering the
necessity and the transparency.
Section II
Data Protection Officer
Art. 41.
The controller shall appoint a data protection officer to be in charge
of processing personal data.
§1 The identity and contact information of the data protection officer shall be publicly disclosed, in a clear and objective manner, preferably on the controller’s website.
§2 Data Protection Officer’s activities consist of:
I – accepting complaints and communications from data subjects, providing explanations and adopting measures;
II – receiving communications from the national authority and adopting measures;
III – orienting entity’s employees and contractors regarding practices to be taken in relation to personal data protection; and
IV – carrying out other duties as determined by the controller or set forth in complementary rules.
§3 The national authority may establish complementary rules about the definition and the duties of the data protection officer, including situations in which the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.
§4 (vetoed). (Included by Law No. 13,853/2019)
Section III
Liability and Loss Compensation
Art. 42.
The controller or the processor that, as a result of carrying out their
activity of processing personal data, cause material, moral, individual or
collective damage to others, in violation of legislation for the protection of
personal data, are obligated to redress it.
§1 In order to ensure the effective compensation to the data subject:
I – processors are jointly liable for damages caused by the processing when they do not comply with the obligations of data protection legislation or when they have not followed controller’s lawful instructions. In this last case, the processor is deemed equivalent to the controller, save from cases of exclusion as provided in Art. 43 of this Law;
II – controllers directly involved in the processing from which damages resulted to the data subject shall jointly answer, save from cases of exclusion as provided in Art. 43 of this Law.
§2 The judge, in a civil lawsuit, at her/his discretion, may reverse the burden
of proof in favor of the data subject when the allegation appears to be true,
there are no funds for the purpose of producing evidence or when production of
evidence by the data subject would be overly burdensome.
§3 Lawsuits for compensation for collective damages, pursuant to the terms of
the lead sentence of this article regarding liability, may be filed collectively
in court, subject to the provisions of related legislation.
§4 Anyone who pays compensation for damages to the data subject has the right to
demand compensation from the other liable parties, to the extent of their
participation in the damaging event.
Art. 43.
Processing agents shall not be held liable only when they prove that:
I – they did not carry out the personal data processing that is attributed to them;
II – although they did carry out the processing of personal data that is attributed to them, there was no violation of the data protection legislation; or
III – the damage arises from the exclusive fault of the data subject or a third party.
Art. 44.
Processing of personal data shall be deemed irregular when it does not
obey the legislation or when it does not provide the security that its data
subject can expect, considering the relevant circumstances of the processing,
among which are:
I – the way in which the processing was carried out;
II – the result and the risks that one can reasonably expect of it;
III – the techniques for processing personal data available at the time it was carried out.
Sole paragraph. The controller or the processor who neglect to adopt the
security measures provided in Art. 46 of this Law shall be held liable for
damages caused by the violation of the security.
Art. 45.
When there is a violation of data subject’s rights in the scope of consumer relations, the rules of liability provided in the pertinent legislation shall apply.