LGPD and the MIGNOW
Data protection for all of us at MIGNOW is an important topic. We started to understand it as a form of affection and attention that we have to give to the data of individuals so that we can have a sustainable environment.
Here in Brazil, the topic was brought up by the General Data Protection Law - LGPD (Law No. 13,709, of August 14, 2018). It has already been changed a few times, but it is a game changer on this subject.
Its aim is to protect the fundamental rights of freedom and privacy and the free development of the personality of the natural person through the development of a culture of protection of personal data.
But this is not just around here. Investment in Data Protection and privacy is a global trend, resulting from the increased awareness of people and companies about the value of data, and the impact that exposure to sensitive information can have on people's lives. In Europe (through GDPR) and California (with CCPA), regulations have already evolved to reflect this reality, and LGPD arrives in Brazil to also bring our business relations to the expected level of confidence in terms of data management personal.
For this reason, we at MIGNOW, who use data from individuals, follow a series of previous compliance steps and procedures, from the collection of information to its disposal at the end of the treatment.
The LGPD came into force on September 18, 2020. Administrative sanctions and fines under the responsibility of the National Data Protection Authority (ANPD), however, can only be applied as of August 1, 2021.
Who does it apply to?
Any business, whether natural or legal, of individuals residing in Brazil or collected and treated in our country.
Under what conditions?
All operations involving the processing of personal data carried out in Brazil are subject to the LGPD; that fall on personal data collected here; or that involve the offer of goods and services or individuals that are in Brazilian territory.
It is important to understand that the LGPD does not only apply to the processing of personal data in digital media, it also applies to any processing operation in a physical environment, such as, for example, the receipt, transit and storage of resumes, reports, spreadsheets and copies of personal documents.
The LGPD does not apply to the processing of personal data carried out for private and non-economic purposes; exclusively journalistic, artistic or academic data; data exclusively on public security, national defense, state security or investigative and prosecuting criminal offenses; and data that have no contact with Brazil in the entire treatment flow.
The LGPD establishes as controllers of personal data the figures of the Controller and the Operator, and both are responsible for the treatment they perform.
Controllers are those who have a direct relationship with the holder and are responsible for meeting their requirements. He has total interference with the data processed, indicating the form, the means used and the legal bases that will be applied to each treatment of personal data.
The Operator, on the other hand, is the person who performs the processing of personal data on behalf of the Controller, from whom the data was received and who is obliged to follow the entire format chosen for the treatment.
Principles of the law
The LGPD establishes principles that must be observed whenever personal data are processed. Are they:
- Goal: The objectives of the processing of personal data must be clear, legitimate, and therefore specific, and non-targeted processing is prohibited;
- Adequacy: The treatment must be adapted to the needs informed to the holders;
- Necessity: Linked to the principles of purpose and adequacy, this principle guides us so that only personal data that are strictly necessary to achieve the intended purpose are processed;
- Free access: Whoever carries out the processing of personal data must always promote easy access of these to their holders, including speed and transparency in the availability of information;
- Data quality: It is an obligation of those who carry out the treatment to ensure that personal data is relevant, accurate, clear and therefore updated;
- Transparency: With commercial and industrial secrets protected, the holder must have access to clear, accurate information that respects free access to his personal data;
- Safety: Technical and organizational measures must be used not only preventively, but at all times in the personal data processing chain, thus avoiding unauthorized treatment, regardless of the reason;
- Prevention: The processing of personal data must always observe the prior adoption of measures that seek to avoid the occurrence of leaks and other occurrences that could harm the holder or third party;
- Non-discrimination: Treatment can never be used for the purpose of promoting unlawful or even abusive discriminatory acts;
- Accountability and accountability: The party that carries out the processing of personal data must be able to demonstrate the adoption of effective measures that prove the observance and compliance with the data protection rules.
But, after all, what is the processing of personal data?
For LGPD, treatment is any operation performed with personal data, in physical, digital or any other possible environment, referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving , storage, disposal, evaluation or control of information, modification, communication, transfer, diffusion or extraction.
When can personal data be processed?
The LGPD has established 10 legal bases that allow data processing. Are they:
- Compliance with the controller's legal or regulatory obligation;
- By the government, for the execution of public policies;
- Studies by research bodies;
- Execution of contract or carrying out pre-contractual steps, provided that at the request of the holder;
- Regular exercise of rights in judicial, administrative or arbitration proceedings;
- Protection of life and physical safety;
- Health protection;
- Legitimate interest of the controller or third parties;
- Credit protection.
Bearing in mind that the processing of sensitive personal data cannot take place based on the legitimate interest of the controller or third parties.
Personal data and sensitive personal data
The LGPD defines as personal data any data that identifies or may, in any way, lead to the identification of a natural person, who is the holder of such data.
In turn, sensitive personal data are personal data that refer to situations of an intimate nature and that can cause irreparable damage (or complex repair) to its holders if any damage occurs in the treatment. Thus, sensitive personal data are considered, those related to racial or ethnic origin, religious belief, political opinion, union membership or organization of a religious, philosophical or political character, data relating to health or sexual life, and genetic or biometrics, when linked to a natural person.
The holder of personal data
The central figure of the LGPD is the holder of the personal data, which is the natural person to whom the personal data being processed refer.
Rights of the holder
The person who has his / her data processed has the possibility of having free and easy access to his / her personal data, wherever they are, with due regard for the exceptions of the law, especially when these data are linked to a public benefit activity.
In addition, the LGPD guarantees several rights to holders, who can now:
- Confirm and access your personal data;
- Require the correction of incomplete, inaccurate or outdated data;
- Request anonymization, blocking or elimination;
- Require portability;
- Revoke the consent you have given for the treatment;
- Oppose treatment;
- Request explanations and review of decisions taken in an automated manner based on your personal data.
Mignow, the company that created the first software capable of converting SAP ECC to SAP S / 4 Hana through an automated 100% process, performs the processing of personal data both as a controller and as an operator, adapting to the specific needs of each customer.
Therefore, due to the LGPD and other standards and certifications, we have adopted data security and governance practices, as well as all the necessary mechanisms that make our activity safe and in compliance with all the precepts of the applicable legislation.
We develop awareness programs for our teams, focused on governance in the protection of personal data, in addition to maintaining interaction between the teams responsible for implementing the adequacy model established by law.
In our activities, we do not use credit-related databases, thus observing the legal prohibition on this topic. This same example serves for any and all legal restrictions, which we keep up to date to always act in an ethical, prudent and appropriate manner.
Currently, all of our activities, including, but not limited to, the products, websites and other tools that we have and offer to our customers, partners and employees, meet the requirements of the LGPD, including the development of new solutions.
In addition to observing the LGPD in all its contracts and in the day-to-day activities, the company Mignow closely monitors the legislative discussions regarding the law and the creation of the ANPD, adjusting its adequacy program always according to the news privacy and data protection.
Therefore, we map all our personal data flows and work on the development of a specialized team; awareness of employees; development of a communication channel for interaction with cardholders; and carrying out legal assessments that, among various responsibilities, take care to indicate the correct use of legal bases in our activities.
If you have any questions or requests, contact us through the channel: email@example.com
To ensure the adequacy and compliance with the Data Protection requirements in the Mignow company, our DPO (Data Protection Officer) can be contacted at firstname.lastname@example.org
If you wish to send a Request or Complaint, we ask that you register your request through the following channel: email@example.com