In August 2018, Brazil approved Law No. 13.709 of 14 August 2018 (LGPD, or Lei Geral de Proteção de Dados). Similar to GDPR or the Law of Ukraine No. 2297-VI on the protection of personal data adopted in 2010 (“PPD”), the LGPD is an omnibus law that covers a wide range of issues: data protection impact assessment, controller and processor obligations, data subject rights, powers of supervisory authorities, rules on the international transfer of data, to name a few.
To those who are quite familiar with the GDPR, LGPD can seem a manageable task. However, you do not have to learn Ukrainian or EU law by heart to understand the data protection law. This article aims to facilitate the introduction to the LGPD for those who work in between Ukraine and Brazil and wants to assess whether any of the laws apply and where to seek advice if needed.
Scope, competence, applicability
Both laws are omnibus and set the universal standard across the country that can only be complemented with sectorial-specific laws.
Ukrainian LGPD-like law applies within limits set by the Constitution of Ukraine, codes and laws passed by Ukrainian parliament and authorities and international law. Traditionally, if the processing takes place within the borders of Ukraine, the data processing agent is residing in Ukraine or the personal data belongs to a Ukrainian resident (regardless of citizenship), the Ukrainian law should be taken into consideration. However, the law does not contain a clear extraterritoriality clause; the applicability of the Ukrainian law must be established by the court on a case-by-case basis.
LGPD, on the other hand, offers a prominent notice of its international applicability in Articles 3 and 4. The purpose of the processing must be to offer or provide goods or services to individuals located in Brazil. The act establishes two triggers: the personal data must belong to individuals located in Brazil, or be collected in Brazil (meaning that, at the moment of collection, this individual was in Brazil).
Ukrainian law, as well as LGPD, protects the personal data of natural persons. The legal person’s data is not covered. Both laws provide a similar approach to determining whether the data is in fact personal data and share the list of sensitive personal data. However, the LGPD emphasizes the sensitivity of children’s data, while Ukrainian complementary legislation defines precise geolocation as sensitive data.
Supervisory authorities, controllers and processors
Both laws define controllers and processors.
In Ukraine, the controller means a natural or legal entity that has obtained a right to the processing of such data according to the law or to the consent of the personal data subject, which approves the purpose of the processing of personal data in the base of personal data, establishes the content of this data and the procedures for its processing, in case other is prescribed by legislation. Data processor, in turn, means a natural person or legal entity, which obtained the right to process such data on behalf of the controller of personal data or according to the law.
Under the LDPD, a data controller means a natural or legal person (public or private) that defines the purposes concerning the processing of personal data. A data processor is a natural or legal person, which performs the processing on behalf of the data controller (unlike the GDPR, the LGPD does not require the written agreement between the controller and the processor).
- In Ukraine: The Ukrainian Parliament Commissioner for Human Rights (“Ombudsman”).
- In Brazil: National Authority of Data Protection (“ANPD”).
Legal basis and international transfers
Both laws have six legal bases of processing: consent, contract, legal obligation, public interest, vital interest, and the legitimate interest of the controller.
The LGPD contains the general prohibition of international transfers of data outside Brazil. This prohibition is lifted if the organisation takes precautions mentioned in the acts. For instance, enters into a data protection agreement based on the standard contractual contracts adopted by the ANPD, or the transfer is carried out to the country that is recognized by the Brazilian SA as adequacy decision country (i.e. is considered a country that provides sufficient level of protection of personal data and rights of data subjects).
The Ukrainian PPD prohibits onward transfers of personal data to foreign entities engaged in the processing unless the state of such entities provides adequate protection of personal data (subject to a law or international treaty Ukraine is a party to). Additional guarantees of non-interference in the personal life of data subjects, unambiguous consent to such transfer or necessity to transfer the data overseas to carry out the transaction at the request of the data subjects can also serve as prerequisites of a legal onward transfer.
Privacy policies and other documents
Both acts require the data controller to inform data subjects of the processing of personal data.
Under the LGPD, both controllers and processors must keep records of personal data processing operations carried out by them. However, the act does not define which information about the processing must be kept. On the other hand, the act obliges the controller to carry out the data protection impact assessment, subject to further clarifications from the ANPD as to the contents of the DPIA report.
LGPD requires the company to appoint a DPO. The act prominently names the controller as the person responsible for the appointment; however, the ANPD further clarified, that this obligation is extended to both controllers and processors. Ukrainian law requires the appointment of the data protection officer (or department) in case of the processing of sensitive data. The law only provides for the tasks and functions of such officers but does not describe any other requirements.
Data breaches and security of personal data
The LGPD requires the use of technical and administrative measures that are able to protect personal data from unauthorized access and accidental or unlawful situations. Supervisory authority reserved the right to provide minimum standards of security. This obligation extends to both controllers and processors. The controller, however, must communicate incidents to the ANPD (any incidents) and to the data subject (if the incident can create risks to their personal data), and there is no predetermined timescale: a notion of the “reasonable” time applies.
The PPD law does not require notification of personal data security breaches to the Ombudsman. However, the organisation must inform data subjects about any amendment, deletion, or destruction of their personal data within ten business days.
Data subject rights
The LGPD and the Ukrainian law provide the similar scope of rights with some caveats:
Should you apply the LGPD if your organisation is located in Ukraine but processes personal data of Brazilian residents? Yes.
The task is easier if you have taken steps to comply with the GDPR: both acts are similar in their nature and require comparably less work on the privacy program, but entail a considerable amount of adopted policies and additional training on the peculiarities and differences between the two.
However, without the prior experience of lawful processing of the EU-originated data, the Ukrainian LGPD compliance program will require more attention and effort to be put to enhance the security of data and safeguard the privacy of the data subjects expressed in data protection policies and procedures.