Personal Data Protection and Privacy - Advisory and Litigation
A) Compliance with the General Personal Data Protection Law – LGPD
- LGPD adaptation projects for private companies and public organizations: diagnosis, construction of the governance program and document review;
- Preparation of legal opinions, consultations and memos, with specific analysis of the topics approached by the personal data protection;
- Analysis and preparation of documents: contracts, clauses, privacy policies and other instruments;
- Third party management: support to the controller client in the management of outsourced operators;
- Training and qualification of employees, partners and service providers in relation to the programs and policies developed; and
- Administrative work at regulatory entities: Autoridade de Proteção de Dados Pessoais (Personal Data Protection Authority – ANPD), Senacon (National Consumer Secretariat), Anatel (National Telecommunication Agency), among others.
B) DPO as a Service
Outsourcing of the full function of the DPO (Data Protection Officer): responsible for the personal data protection as a legal entity before the ANPD and the data holders, in order to develop:
- Compliance monitoring;
- Maintenance of the register of personal data processing activities;
- Personal Data Protection Impact Report;
- Response to requests from holders;
- Monitoring of laws and standards;
- Management of the maturity evolution of the privacy program;
- Technical and legal support in the development of new initiatives (Privacy By Design);
- Conduct of the Privacy Committee;
- Maintenance of employee training;
- Simulation of incident response plan;
- And relationship with ANPD.
Advice for the internal operation of the function: support the client in the selection, training and mentoring of the Data Protection Officer (DPO); and
Business legal advice: positioning the DPO within the governance structure of the institution and the structuring of his/her duties.
C) Data Breach and Other Incidents – Prevention and Repression
- Support in case of incidents of improper exposure of personal data: suggestion of preventive and repressive measures in the internal and external scopes (from the office);
- Extrajudicial operation: exercise of the right of reply or withdrawal publication in an online environment; and
- Judicial and administrative operations: removal of personal content from the virtual environment; identification of anonymous users on the internet; civil, criminal or labor liability arising from the crime present in the incident; indemnification, restraining and search and seizure measures; legal actions promoted by holders of personal data; administrative procedures and civil investigations conducted by the competent authorities; negotiation of Termo de Ajustamento de Conduta (Terms for the Adjustment of Conduct – TAC); and collective lawsuits related to privacy and data protection.
D) M&A and Data Protection Due Diligence
- Calculation of values: amount added by personal data to the institution;
- Due Diligence: client document analysis and suggestions for improving the safety and mitigate operational risks; and
- Analysis of the degree of maturity in relation to the compliance of the institution to the conditions of the LGPD.