COMPLIANCE WITH LGPD
The LGPD (Law no 13.709 of 14 August 2018 or Lei Geral de Proteção de Dados) is a Brazilian data protection law that governs the collection, use, processing, and storage of personal data. As it has extraterritorial applicability, not only Brazilian companies but also foreign companies that process personal data of individuals located in Brazil are subject to compliance with LGPD requirements.
Affise, being a foreign company, which processes personal data of individuals located in Brazil, must comply with the LGPD too. To achieve compliance and avoid potential legal and reputational consequences, Affise has taken several measures, including:
1. Commitment to the Principles of Personal Data Processing.
– Purpose for processing. Any data processing activity is carried out for legitimate, specific, explicit, and clearly communicated purposes. Affise does not do any additional processing which is not in line with the communicated original purposes.
– Necessity. Affise only processes data that is necessary for the fulfillment of the stated purposes of processing.
– Adequacy. Both the way of processing data, and processed data itself, are justifiably in line with the purposes of processing.
– Freedom in exercising rights and free access to information. Data subjects are able to freely exercise their rights under the LGPD and have unencumbered, easy access to any information about the processing of their personal data – free of charge.
– Data integrity/quality. Affise, as a controller, ensures the accuracy of the data processed and keeps it updated and relevant, in accordance with the purpose for processing it.
– Transparency. Affise keeps the information about its data processing clear, accurate and easily available to data subjects.
– Security and Prevention. Affise has technical and organizational measures in place that (i) protect personal data from unauthorized access, accidental or unlawful destruction, loss, alteration and unauthorized communication or dissemination, and (ii) are aimed to prevent any damage being caused by the processing of personal data.
– Non-discrimination. No data processing occurs for discriminatory purposes.
– Accountability. As the data controller, Affise complies with the law and is able to demonstrate it.
2. Appointing a Data Protection Officer (DPO)
Affise designated a DPO who is responsible for ensuring compliance with the LGPD. Duties of the DPO among others include the following:
– to receive complaints and communications from the data subjects, provide clarifications and adopt relevant measures;
– to receive communications from the Brazilian Data Protection Authority (“DPA”) and adopt relevant measures;
– to advise Affise’s employees and contractors regarding the practices and measures to be taken concerning the protection of personal data processed.
3. Mapping Personal Data
Affise mapped all personal data it processes and created a register that lists the type of data, the purpose for which it is processed, the data retention period, and the source of data.
4. Ensuring Appropriate Legal Basis
Affise undertakes to ensure that (i) all processing activities occur based on the appropriate legal basis fully compliant with the LGPD (e.g., free, informed and unambiguous consent provided for a specific purposes, performance of a contract or preliminary procedures related to the contract) and (ii) that the chosen legal basis is adequate, relevant and necessary for the specific processing activity.
5. Implementing Security Measures
Affise has implemented security, technical and administrative measures to protect personal data against unauthorized accesses and accidental or unlawful destruction, loss, alteration, communication or any kind of illegitimate processing. These measures include, but are not limited to:
– access controls to restrict access to personal data to only authorized personnel;
– data encryption to protect personal data in transit and at rest;
– data minimization to collect limited amount of personal data necessary for the specified purpose;
– anonymization and pseudonymization to protect the privacy of data subjects;
– regular backups to prevent data loss;
– employee training to ensure employees understand the importance of data protection and how to handle personal data appropriately;
– incident response plan with steps to be taken in the event of a data breach or other security incident;
– third-party data processing agreements to ensure third-party service providers comply with the LGPD and provide adequate data protection measures.
6. Providing Data Subject Rights
Affise processing personal data of individuals located in Brazil is aware of data subject rights and has processes in place to ensure that these rights are respected and fulfilled. The LGPD grants several rights to data subjects, including:
– Right to Confirmation: Data subjects have the right to have the existence of processing confirmed;
– Right to Access: Data subjects have the right to obtain information about the processing of their personal data, including the purposes of processing, the categories of personal data being processed, and the recipient or categories of recipients to whom the data has been or will be disclosed;
– Right to Rectify: Data subjects have the right to request the rectification of inaccurate or incomplete personal data;
– Right to Anonymization: data subjects are entitled to the anonymization, blocking or elimination of unnecessary or excessive personal data, or of any data that is not being processed in compliance with the LGPD;
– Right to Erasure: If the processing of that data was based on consent, data subjects have the right to request the deletion of their personal data, except in certain situations where data retention is necessary;
- Right to Information: Data subjects have the right to be informed about sub-processors and other third parties that access or process their personal data. Data subjects also have the right to be informed about their consent choices and the consequences of refusing consent;
– Right to Restrict Processing: Data subjects have to right to request that the processing of their personal data is restricted in certain circumstances, for example, while the accuracy of the data is being verified;
– Right to Data Portability: Data subjects have the right, upon express request, to receive a copy of their personal data in a structured, commonly used, and machine-readable format and, to transfer it to another controller without hindrance;
– Right to Revocation: Data subjects have the right to revoke or withdraw consent;
– Right to Object: Data subjects have the right to object to the processing of their personal data in certain situations, such as when the data is being processed for direct marketing purposes;
– Right to Bring Compliant: Data subjects have the right to lodge a complaint with the DPA.
7. Reporting Data Breaches
In order to promote transparency, accountability and data protection, Affise has implemented procedures aiming at reporting data breaches within a reasonable timeframe to the Brazilian DPA and affected data subjects within a reasonable time frame.
A personal data breach is any event that compromises the security or confidentiality of personal data, such as unauthorized access, accidental or unlawful destruction, alteration, loss, or disclosure of personal data.
The communication of the data breach shall include a description of the nature of the personal data affected, information on the affected data subjects, information about the technical and security measures used to protect the data (subject to commercial secrecy), the risks related to the incident, the reasons for any delay in reporting the incident to the DPA (in cases in which communication was not immediate), and the measures that were or will be adopted to reverse or mitigate the effects of the damage.
If you have any questions or concerns about Affise’s compliance with the LGPD, please contact us by email at firstname.lastname@example.org or at Affise Technologies Ltd, 49 dromos, 41, K. Polemidia, 4152 Limassol, Cyprus (for Affise Performance and Mobile Attribution visitors, prospects and customers) and at Affise Inc., 1209 Orange Street, Wilmington, New Castle County, Delaware, 19801, USA (for Reach visitors, prospects and customers).
Our DPO can be contacted by email at email@example.com.