On 26 October 2023, the Brazilian Data Protection Authority (ANPD) issued a privacy notice, providing insight to data subjects on how the ANPD processes personal data.
This privacy notice is highly informative in setting out expectations that all organizations may be expected to meet, whose privacy notices must include:
(i) the categories of personal data (a list of examples is sufficient);
(ii) the data subjects affected;
(iii) the purposes of processing;
(iv) the lawful bases for processing personal data;
(v) a summary of how the organization uses cookies (providing a specific cookie policy is also recommended);
(vi) the sources of personal data;
(vii) the criteria used by the organization to retain and delete data (it is noticeable that the ANDP did not specify the length of the retention periods);
(viii) the information with whom the organization shares personal data (the purpose of these disclosures are not required, nor are exhaustive lists of third parties);
(ix) a brief summary of how the organization protects personal data;
(x) the data subjects’ rights, as provided for in the LGPD; and
(xi) methods to contact the organization’s data protection officer (personally identifying the officer is not necessary).
A chart linking categories of data to the affected individuals, along with purposes and the corresponding lawful bases, is likely the best format for companies to submit their information, following the ANPD’s privacy notice.