FGV AND DATA PROTECTION
Fundação Getulio Vargas strives to contribute to the development of high-quality teaching and research in Brazil. It has operated as an important agent in several areas of social sciences through a series of innovative initiatives. Considering that Brazil’s General Data Protection Law (Law nº. 13.709/18, Lei Geral de Proteção de Dados Pessoais – LGPD) was approved in 2018, FGV has been working to comply with it along with other sectoral laws on data protection already in force. In this sense, FGV is committed to protecting and safeguarding the rights of data subjects, as well as being an agent that stimulates discussions about the importance of privacy and data protection rights, participating in the public debate with a clear goal of contributing to create a data protection culture in Brazil. In this website you will find guidelines about the LGPD and information about what FGV has done in its data protection compliance program. This content will be regularly updated, and it aims to share with the national and international community the methods and processes employed by FGV in order to encourage the development of a culture of data protection within the educational sector.
The main national data protection laws in the world are guided by General Principles of Data Protection, the backbone of data protection regulation. It is based on these principles that FGV has structured its Compliance Program. They are listed in the LGPD as follows:
Processing done for legitimate, specified and explicit purposes for which the data subjects are informed, with no possibility of subsequent processing that is incompatible with these purposes.
Compatibility of the processing with the purposes informed to the data subject, according to the processing context.
- DATA MINIMIZATION
Limitation of processing to the minimum necessary to achieve its purposes. All personal data must be relevant, proportional and non-excessive in relation to the purposes of the data processing.
- OPEN ACCESS
Data subjects are guaranteed facilitated and free of charge consultation about the form and duration of the processing, as well as about the integrity of their personal data.
- DATA QUALITY
Data subjects are guaranteed that their data is accurate, transparent, relevant and kept up to date, in accordance with the necessity for achieving the purpose of the processing.
Data subjects are guaranteed clear, accurate and easily accessible information about the processing and its agents, subject to commercial and industrial secrets.
Use of technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination.
Measures to prevent the occurrence of damages due to processing of personal data.
- LIABILITY AND ACCOUNTABILITY
Processing agents should be able to demonstrate that they are adopting measures taken to comply with data protection legislation. They should also demonstrate the efficacy of these measures.
Impossibility of processing personal data for unlawful or abusive discriminatory purposes.
FREQUENTLY ASKED QUESTIONS
Personal data is any sort of information which can identify or make a natural person identifiable, such as names, ID numbers, addresses, cookies, or other sorts of information related to a person, for example, their location, cultural preferences, attitudes and interests.
LGPD is the Portuguese acronym for the General Data Protection Law (Law nº. 13,709/18), the Brazilian general regulation about the topic, which will come into force in August 2020. Inspired by the GDPR, the European data protection regulation, LGPD will be the normative standard that will guide personal data protection processing in Brazil.
By the time the LGPD was approved, in August 2018, Brazil already had over 40 laws and sectoral resolutions in force concerning personal data protection. Despite not being the first law to bring this topic into the debate, the LGPD is a transversal regulation, being applicable to all sectors (academia, public sector, private sector and third sector) and extremely relevant for Brazil.
The law applies to processing agents (data controllers and data processors), as well as to data subjects.
Data controller is a natural or legal person, under public or private law, who determines the purposes for which and the manner in which any personal data are processed. Data processor is a natural or legal person, under public or private law, who processes personal data on behalf of the data controller.
Data subject is the natural person to whom processed personal data refer to.
Regarding personal data protection, the main regulations that apply to services provided by FGV are the ones as follows:
- LGPD: it will be applicable to FGV services as the institution collects, stores, uses and shares personal data from people in Brazil.
- Brazilian Civil Rights Framework for the Internet (MCI): MCI is applicable to FGV as it regulates the use of the internet in Brazil, providing for the requirement of free, express and informed consent for collection, use and storage of personal data in the country;
- Decree 8.771/16: regulates certain points of the MCI, mainly concerning issues related to security and safety standards that must be followed by companies for processing personal data, whether these companies are application or connection service providers. It also regulates matters of data lifecycles and data erasure;
- Consumer Protection Code (CDC): CDC is also applicable to the services provided by FGV, since this legislation requires that private educational institutions make available information contained in their database to data subjects.
FGV is classified as both data controller and data processor, according to the context. It will be a data controller if it is responsible for the decisions regarding the processing of personal data, e.g. in cases in which it collects personal data from students for enrollment. It will act as a data processor if it processes personal data on behalf of a data controller, e.g. in cases in which it has a partnership with an international university to create a course overseas.
According to the LGPD, both data controllers and data processors are classified as processing agents, therefore, FGV is considered as such.
FGV has taken a series of measures to comply with data protection regulations. As part of the compliance program, questionnaires have been used across the institution as part of the data mapping stage in order to understand data flows and verify their accordance to the obligations listed in the LGPD and other data protection regulations. All data collected from these questionnaires will be analyzed in order to elaborate a Data Protection Impact Assessment.