Personal Data Protection and Privacy - Advisory and Litigation

A) Compliance with the General Personal Data Protection Law – LGPD

  • LGPD adaptation projects for private companies and public organizations: diagnosis, construction of the governance program and document review;
  • Preparation of legal opinions, consultations and memos, with specific analysis of the topics approached by the personal data protection;
  • Analysis and preparation of documents: contracts, clauses, privacy policies and other instruments;
  • Third party management: support to the controller client in the management of outsourced operators;
  • Management of holders’ rights: support to the controller client relating to the guarantee of holders’ rights as set out in the Privacy Policy;
  • Training and qualification of employees, partners and service providers in relation to the programs and policies developed; and
  • Administrative work at regulatory entities: Autoridade de Proteção de Dados Pessoais (Personal Data Protection Authority – ANPD), Senacon (National Consumer Secretariat), Anatel (National Telecommunication Agency), among others.

B) DPO as a Service

Outsourcing of the full function of the DPO (Data Protection Officer): responsible for the personal data protection as a legal entity before the ANPD and the data holders, in order to develop:

  • Compliance monitoring;
  • Maintenance of the register of personal data processing activities;
  • Personal Data Protection Impact Report;
  • Response to requests from holders;
  • Monitoring of laws and standards;
  • Management of the maturity evolution of the privacy program;
  • Technical and legal support in the development of new initiatives (Privacy By Design);
  • Conduct of the Privacy Committee;
  • Maintenance of employee training;
  • Simulation of incident response plan;
  • And relationship with ANPD.

Advice for the internal operation of the function: support the client in the selection, training and mentoring of the Data Protection Officer (DPO); and

Business legal advice: positioning the DPO within the governance structure of the institution and the structuring of his/her duties.

C) Data Breach and Other Incidents – Prevention and Repression

  • Support in case of incidents of improper exposure of personal data: suggestion of preventive and repressive measures in the internal and external scopes (from the office);
  • Extrajudicial operation: exercise of the right of reply or withdrawal publication in an online environment; and
  • Judicial and administrative operations: removal of personal content from the virtual environment; identification of anonymous users on the internet; civil, criminal or labor liability arising from the crime present in the incident; indemnification, restraining and search and seizure measures; legal actions promoted by holders of personal data; administrative procedures and civil investigations conducted by the competent authorities; negotiation of Termo de Ajustamento de Conduta (Terms for the Adjustment of Conduct – TAC); and collective lawsuits related to privacy and data protection.

D) M&A and Data Protection Due Diligence

  • Calculation of values: amount added by personal data to the institution;
  • Due Diligence: client document analysis and suggestions for improving the safety and mitigate operational risks; and
  • Analysis of the degree of maturity in relation to the compliance of the institution to the conditions of the LGPD.