CHAPTER VII

SECURITY AND GOOD PRACTICES
 

Section I
Security and Secrecy of Data
 

Art. 46.

 Processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.
 

§1 The national authority may provide minimum technical standards to make the provisions of the lead sentence of this article applicable, taking into account the nature of the
processed information, the specific characteristics of the processing and the current state of technology, especially in the case of sensitive personal data, as well as the principles provided in the lead sentence of Art. 6 of this Law.
§2 The measures mentioned in the lead sentence of this article shall be complied with as from the conception phase of the product or service until its execution.
 

Art. 47.

Processing agents or any other person that intervenes in one of the processing phases commit themselves to ensure the security of the information as provided in this Law regarding personal data, even following the conclusion of the processing in question.
 

Art. 48.

The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects.
 

    §1 The communication shall be done in a reasonable time period, as defined by the national authority, and shall contain, at the very least:
 

I – a description of the nature of the affected personal data;
II – information on the data subjects involved;
III – an indication of the technical and security measures used to protect the data, subject to commercial and industrial secrecy;
IV – the risks related to the incident;
V – the reasons for delay, in cases in which communication was not immediate; and
VI – the measures that were or will be adopted to reverse or mitigate the effects
of the damage.
 

    §2 The national authority shall verify the seriousness of the incident if necessary to safeguard the data subjects’ rights, it may order the controller to adopt measures, such as:
 

I – broad disclosure of the event in communications media; and
II – measures to reverse or mitigate the effects of the incident.
 

    §3 When judging the severity of the incident, there will be an analysis of eventual demonstrations that, within the scope and the technical limits of the services, adequate     technical measures were adopted to render the affected personal data unintelligible to third
parties who were not authorized to access them.
 

Art. 49.

The systems used for processing personal data shall be structured in order to meet the security requirements, standards of good practices and governance, general principles provided in this Law and other regulatory rules.
 

Section II
Good Practice and Governance
 

Art. 50.

Controllers and processors, within the scope of their functions, concerning the processing of personal data, individually or by associations, may formulate rules for good practices and governance that set forth conditions of organization, a regime of operation, the procedures, including those for complaints and petitions from data subjects, security norms, technical standards, specific obligations for the various parties involved in the processing, educational activities, internal mechanisms of supervision and risk mitigation and other aspects related to the processing of personal data.
 

  §1 When establishing rules of good practices, the controller and the processor shall take into consideration, regarding the processing and the data, the nature, scope, purpose and probability and seriousness of the risks and the benefits that will result from the processing of the data subject’s data.
§2 When applying the principles mentioned in items VII and VIII of the lead sentence of Art. 6 of this Law, and subject to the structure, scale and volume of her/his operations, as well as the sensitivity of the processed data and the probability and seriousness of the damages to data subjects, the controller may:
 

I – implement governance program for privacy that, at the very least:
 

a) demonstrate the controller’s commitment to adopt internal procedures and policies that ensure broad compliance with rules and good practices regarding the protection of personal data;
b) are applicable to the entire set of personal data under her/his control, irrespective of the means used to collect them;
c) are adapted to the structure, scale and volume of her/his operations, as well as to the sensitivity of the processed data;
d) establish adequate policies and safeguards based on a process of systematic evaluation of the impacts and risks to privacy;
e) have the purpose of establishing a relationship of trust with the data subject, by means of transparent operation and that ensure mechanisms for the data subject to participate;
f) are integrated into its general governance structure and establish and apply internal and external mechanisms of supervision;
g) have plans for response to incidents and solutions; and
h) are constantly updated based on information obtained from continuous monitoring and periodic evaluations;
 

II – demonstrate the effectiveness of her/his privacy governance program when appropriate and, especially, at the request of the national authority or other entity responsible for promoting compliance with good practices or codes of conduct, which, independently, promote compliance with this Law.
 

§3 Rules of good practice and governance shall be published and updated periodically and may be recognized and disclosed by the national authority.
 

Art. 51.

The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.