1. Adequacy: It is one of the general principles of the LGPD (art. 6), according to which there must be compatibility between the processing of personal data and the specific purpose informed to the data subject to carry out the processing.
  2. Processing agent: The one who processes personal data, whether a natural person or legal entity, governed by public or private law. Pursuant to article 5, item IX of the LGPD, the processing agents are the controller and the processor.
  3. Material reach: It concerns the application of the LGPD in different means. This term stems from the first article of the LGPD which establishes that the LGPD will provide for the processing of personal data in physical and digital means.
  4. Territorial reach: It concerns the geographic territories in which the LGPD applies with regard to activities/operations of personal data processing. For reference, the LGPD applies to personal data processing activities/operations carried out in Brazil; on individuals located in Brazil; conducted by international organizations that offer services and products in Brazil; and/or whose object is personal data collected in Brazil.
  5. Anonymization: It is the use of reasonable technical means available at the time of processing in order to eliminate the association that exists between the personal data and the data subject, definitively erasing the characteristics that make it possible to identify the data subjects based on such data.
  6. ANPD: It is the acronym for National Data Protection Authority, a public administration body responsible for ensuring, implementing, and supervising compliance with the LGPD throughout the national territory.
  7. Audit: It is a verification of compliance of the activities carried out by a given Processing Agent with the LGPD. In general terms, during this verification, a review of all internal policies and procedures related to the processing of personal data and the information security practices of the Processing Agent is made, with the aim of verifying any failures and inconsistencies that may result in security incidents.
  8. Database: It can be understood as a structured set of personal data, established in one or several places, in electronic or physical support.
  9. Legal bases: The legal hypotheses, provided for in the LGPD, that authorize a certain personal data processing activity/operation.
  10. CD/ANPD No. 02: It is the resolution published by the ANPD, on January 27, 2022, which establishes specific rules for small processing agents.
  11. Cybercrime: It refers to illicit practices carried out in the online and virtual environment.
  12. Cybercriminal: The individual who commits crimes in the online and virtual environment.
  13. Sharing: It is the transmission, distribution, communication, transfer, and/or dissemination of personal data.
  14. Compliance: Compliance can be defined as compliance with norms. When adopted by companies, compliance aims to create practices and procedures to ensure that all legal obligations are met, avoiding losses and forming a good reputational image for the company.
  15. Consent: It is one of the legal bases provided for in the LGPD, being defined as the free, informed, and unequivocal manifestation by which the data subject agrees with the processing of their personal data for a specific purpose.
  16. Controller: A natural person or legal entity, governed by public or private law, who is responsible for decisions regarding the processing of personal data;
  17. Joint controllership: It occurs when two or more persons responsible for the data processing (also called joint controllers or co-controllers) jointly or convergently determine the purposes and means for carrying out a certain personal data processing activity/operation.
  18. Independent controllership: It occurs when the processing of personal data is carried out jointly by two controllers, but with different purposes. Independent controllers are controllers that act independently, where each one has autonomy to decide their own purposes for the processing of personal data, without interference from the other party.
  19. Cookies: These are files created by websites and browsers that are saved on the user’s computer. From these files, used information are collected, for example, to identify the user and their preferences within the places visited on the internet, making the user experience personalized.
  20. Compliance with a legal or regulatory obligation: It is one of the legal bases of the LGPD used for the processing of data, whose purpose is compliance with a legal or regulatory obligation by the controller, such as labor, tax, anti-corruption obligations, among others.
  21. Anonymized data: It is personal data that goes through the anonymization process, considering the use of reasonable technical means available at the time of processing, in order to make the data subject non-identifiable.
  22. Personal data: All information related to an identified or identifiable natural person;
  23. Personal data of children and adolescents: Personal data of minors under eighteen (18) years of age.
  24. Sensitive personal data: It consists of a subgroup of personal data that have discriminatory potential and, normally, are part of the data subject’s private life. In this regard, the LGPD determines that the following information are sensitive personal data: information about racial or ethnic origin, religious belief, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data referring to health or sexual life, genetic or biometric data, when linked to a natural person.
  25. DPO: The Data Protection Officer (DPO), existing in the GDPR (General Data Protection Regulation), generally corresponds to Encarregado in the LGPD. The DPO is a specialist in data protection laws and practices, whose role is to monitor and ensure the organization’s compliance with the LGPD rules, in addition to acting as a communication channel between the controller/processor, the data subjects, and the supervisory authority.
  26. Small business: CD/ANPD resolution No. 02 defines the small agents as very small businesses, small businesses, startups, legal entities governed by private law, including non-profit entities, under the terms of the legislation in force, as well as natural persons and unincorporated private entities that process personal data, assuming typical obligations of Controller or Processor.
  27. Social engineering: It is the application of strategies to persuade and manipulate a user to provide personal data or confidential information.
  28. Enforcement of public policies: This is a legal basis provided for in the LGPD for the exclusive use by the public administration. It allows the processing and sharing of data necessary for the enforcement of public policies provided for in laws and regulations or supported by contracts, agreements, or similar instruments.
  29. Performance of the contract: It is one of the legal bases of the LGPD and establishes that personal data may be processed for preparatory acts or the performance of a contract to which the data subject is a party.
  30. Regular exercise of rights in judicial, administrative, or arbitration proceedings: It is one of the legal bases of the LGPD that allows the processing of data, for example, for the maintenance of evidence and documents to be used by the defense in judicial, administrative, and arbitration proceedings, among other situations.
  31. Purpose: It is one of the general principles of the LGPD (art. 6) and establishes that personal data may be processed if it has a legitimate, specific, explicit, and informed purpose without the possibility of further processing in a way that is incompatible with the initially informed purpose.
  32. GDPR: It is the acronym for the General Data Protection Regulation, which is the regulation 2016/679 that provides for privacy, protection of personal data, and free movement of such data.
  33. Governance: Governance is a set of actions aimed at planning, monitoring, and executing procedures related to privacy and personal data management. For reference, it is the privacy governance program that will define the data management strategy to be followed in a given organization, demonstrating commitment, establishing trust and transparency.
  34. Hacker: The individual who has an advanced level of computer knowledge, being able to handle systems, programs or networks, and invade them. A hacker is not necessarily a cybercriminal, as this specific knowledge can not only be used to break into programs, steal or leak information, but also to identify flaws in systems and improve them. This practice by some hackers (white hat) is carried out with the consent of the owner of the system and aims to identify vulnerabilities in order to bring improvements to the system.
  35. Security incident: Any unauthorized access, whether accidental or unlawful, that leads to destruction, loss, alteration, leakage, and other inappropriate forms of data processing.
  36. Interoperability: It is the term used to designate systems and/or organizations that can operate together, ensuring that people, organizations, and computer systems exchange information quickly and efficiently. DATASUS is an example of an interoperable system.
  37. Legitimate interest: It is one of the most subjective and generic legal bases of the LGPD, which allows the processing of personal data when necessary to meet the legitimate interests of the controller or third parties, except in the case of fundamental rights and freedoms of the data subject that require the protection of personal data.
  38. LGPD: It is the acronym for the General Data Protection Law (law No. 13,709/2018), which regulates the processing of personal data.
  39. Free access: It is one of the principles of the LGPD and establishes that data subjects can consult, in an easy and free way, the information that is managed in databases controlled by the processing agents, such as the form, duration of processing, and the completeness of their personal data.
  40. Malware: It is a term that defines any malicious software designed to invade a device or a computer system without the user’s knowledge. They are adware, rootkits, spyware, among others.
  41. Data mapping: It is used to analyze and record the entire path that personal data travels from the moment of collection to its disposal, identifying the entire flow of data and its purposes.
  42. Non-discrimination: It is one of the principles of the LGPD that establishes the impossibility of processing personal data for unlawful or abusive discriminatory purposes.
  43. Need: It is one of the principles of the LGPD that establishes that the processing of personal data must be limited to the minimum necessary for the specific purpose of the processing, avoiding excessive and unnecessary collection.
  44. Open Banking: It is an open financial system, which allows customers of financial products and services to share their information between different institutions authorized by the Central Bank and to operate their bank accounts from different platforms.
  45. Processor: A natural person or legal entity, governed by public or private law, who carries out the processing of personal data on behalf of the controller (art. 5, VII, LGPD).
  46. Research body: A body or entity of direct or indirect public administration or a non-profit legal entity governed by private law legally organized under Brazilian law, with headquarters and jurisdiction in the country, which includes basic or applied research of a historical, scientific, technological, or statistical nature in its institutional mission or in its corporate or statutory purpose.
  47. Phishing: It is a malicious practice, used to deceive internet users in order to collect confidential information and personal data through electronic fraud.
  48. Privacy policy: The privacy policy, or privacy notice, is the terms that explain how personal data will be used and what processing operations will be carried out, including, but not limited to, the purpose for which they will be processed and the security measures that will be used to protect the personal data and privacy of the data subjects. The purpose of the privacy policy is to provide transparency to the processing of personal data carried out by a certain Processing Agent.
  49. Accountability: It is the demonstration, by the Processing Agent, of the adoption of effective measures capable of proving the observance and compliance with the rules for the protection of personal data, and even the effectiveness of these measures.
  50. Prevention: It is the adoption of information security measures, by the Processing Agent, to prevent the occurrence of damages due to the processing of personal data.
  51. Privacy by default: It is the concept that all services and products, when launched by companies in the market, have privacy settings by default, i.e., only strictly necessary data will be processed by default.
  52. Privacy by design: It is an approach developed by Ann Cavoukian for the management of personal data, bringing a set of principles to be adopted throughout the information life cycle.
  53. Processing: It can be considered as synonymous with Treatment.
  54. Life protection: It is one of the legal bases of the LGPD that justifies the processing of data in case of risk to the life of the data subject.
  55. Credit protection: It is one of the legal bases of the LGPD that justifies the processing of data in cases of personal data processing necessary to protect credit. For example, this legal basis authorizes the processing of data inherent to the analysis of credit of a consumer interested in obtaining a loan.
  56. Pseudonymization: It is a technique used to process personal data so that data subjects can only be identified through the use of additional information, not available to everyone, and which is typically separated in a controlled and secure environment.
  57. Data quality: It is one of the principles of the LGPD that guarantees the personal data subjects the right to the quality of their information, i.e., the accuracy, clarity, relevance, and update of the data, according to the need and for the fulfillment of the purpose of their processing.
  58. Ransomware: It is a type of malware (malicious software) that hijacks data, usually encrypting information and asking for a ransom to decrypt or release the information again.
  59. Performance of studies by a research body: It is one of the legal bases of the LGPD that justifies the collection and processing of data by a research body.
  60. Retention: It is the continuous filing or storage of data.
  61. RIPD: This is the acronym for Data Privacy Impact Assessment. The RIPD typically has a description of the personal data processing processes that may pose risks to data subjects regarding civil liberties and fundamental rights, as well as measures, safeguards, and risk mitigation mechanisms related to the respective processing operation.
  62. Security: It is one of the principles of the LGPD that establishes that, as a processing agent, it is necessary to adopt technical and administrative measures capable of protecting personal data against security incidents.
  63. Sub-processor: Although not expressly provided for in the LGPD, the figure of the sub-processor can be conceptualized as the one who is hired by the processor to assist in the processing of personal data. The sub-processor is subordinate to another processor, i.e., it has a direct relationship with the processor and not with the controller.
  64. Personal data subject: The natural person to whom the personal data belong.
  65. Cross-border processing: It is the transfer of personal data that is in Brazilian territory to a foreign country or international organization.
  66. Transparency: It is the principle of the LGPD that guarantees data subjects access to information on the processing of their personal data and the respective Processing Agents, in a clear, accurate, and easily accessible manner, observing commercial and industrial secrets.
  67. Processing: It consists of any and all operation of collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, diffusion or extraction, which uses personal data.
  68. Data sharing: It is the communication, diffusion, international transfer, interconnection of personal data or shared processing of personal databases by public bodies and entities in compliance with their legal competences, or between these and private entities, reciprocally, with specific authorization, for one or more processing modalities allowed by these public entities, or between private entities.
download the booklet
*

share

LinkedInFacebookTwitterWhatsApp

newsletter

Subscribe our newsletter and receive first-hand our informative

    For more information on how we handle your personal data, see our Privacy Policy.
    contato@camposthomaz.com
    *

    R. Funchal, 551, conjunto 51
    Vila Olímpia, São Paulo – SP
    04551-060

    11 3044-4906

    © Campos Thomaz & Meirelles Advogados privacy policy