The General Data Protection Law (LGPD), Law nº 13.709, of August 14, 2018, is a Brazilian legislation that establishes guidelines for the collection, storage, processing and sharing of personal data, imposing greater control and protection of this information. The LGPD has a direct impact on several sectors of the economy, including the banking sector, which is known to handle a large amount of personal and sensitive data from its customers.
First, it is important to understand that the LGPD classifies personal information into two categories: personal data and sensitive data. Personal data is any information relating to an identified or identifiable natural person. Sensitive data is personal data that reveals racial or ethnic origin, religious beliefs, political opinions, data regarding health or sex life, genetic or biometric data.
In the banking sector, both personal data and sensitive data are collected and processed on a regular basis. For example, when opening a bank account, the bank collects personal data such as name, address, CPF number, among others. In addition, when applying for a loan, the bank may collect sensitive data, such as information about the customer's financial situation.
According to the LGPD, the processing of personal data can only be carried out in the following situations: with the consent of the holder; to comply with a legal or regulatory obligation; for the performance of contract or preliminary contract-related procedures; for the regular exercise of rights in judicial, administrative or arbitration proceedings; for credit protection; and to serve the legitimate interests of the controller or a third party.
In the case of the banking sector, data processing is often carried out to comply with a legal or regulatory obligation, to execute a contract or to protect credit. However, in many cases, the bank needs to obtain the consent of the data subject in order to be able to process them. Consent must be free, informed and unambiguous, and the data subject has the right to withdraw it at any time.
The LGPD also establishes that the data subject has the right to access his personal data, correct incomplete, inaccurate or outdated data, anonymize, block or eliminate data that is unnecessary, excessive or processed in violation of the law, portability of data to another service or product provider, elimination of personal data processed with the consent of the subject, information of public and private entities with which the controller carried out shared use of data, information on the possibility of not providing consent and on the consequences of refusal, and revocation of consent.
p>To ensure compliance with the LGPD, banks must implement technical and administrative measures to protect personal data from unauthorized access and situations of destruction, loss, alteration, undue or accidental communication or dissemination. This may include encrypting data, anonymizing data, implementing information security policies, performing regular audits, among other measures.
In the event of a data breach, the LGPD provides for the application of administrative sanctions, which can range from warnings to fines of up to 2% of the company's revenue, limited to R$ 50 million per violation. In addition, the company may be obliged to publish the occurrence of the breach in mass media and to report the breach to the data subject.
Therefore, the LGPD represents a milestone in the protection of personal data in Brazil and has a significant impact on the banking sector. To comply with the law, banks need to review their policies and practices for collecting, storing, processing and sharing data, and implement measures to ensure the protection of their customers' personal data.