The Brazilian LGPD is Here: What You Need to Know

2. Speakers 2 Paul Breitbarth LL.M Director, EU Policy & Strategy TrustArc Christina Fratschko HBA, MLIS, CIPP/US Privacy Research Specialist, Privacy Intelligence TrustArc Jucival Dos Santos MBA Managing Principal & Founder Assent Trust

3. Agenda 3 ● The current status of LGPD and its enforcement timeline ● Requirements for organizations doing business in Brazil including accountability, legal bases, individual rights and International transfers ● How to prepare for compliance

5. Adoption of the LGPD 5 16 August 2020 Expected entry into force of LGPD Proposal to postpone to 3 May 2021, because of COVID-19 26 August 2020 Senate rejects 2021 postponement Publication of the ANPD Decree (regulator) Before 17 September 2020 President Bolsonaro confirms application of LGPD August 2021 LGPD penalties can be imposed

7. Legal Bases 7 I. Consent II. Compliance with a legal obligation III. Public administration for public policies IV.Research V. Execution of a contract, or preliminary procedures for a contract VI.Legal procedures VII.Protection of life or physical safety VIII.Protection of health [only for healthcare professionals] IX.Legitimate interests X. Protection of credit Article 7 LGPD et seq.

8. Individual Rights 8 ● Data ownership ● Confirmation of the existence of processing ● Access ● Correction ● Anonymization, blocking or deletion of unnecessary or excessive data ● Data portability ● Withdrawal of consent, followed by deletion ● Information about data sharing Article 17 LGPD et seq.

9. International Transfers 9 ● International data transfers: the transfer of personal data to a foreign country or to an international entity of which the country is a member. ● Main Rule: data transfers only to adequate countries ○ Brazilian DPA will need to draft the list once up and running ○ Criteria: applicable data protection regime and the nature of the data; alignment of security requirements with the LGPD; existence of judicial and institutional guarantees for respecting the rights of personal data protection ● Alternative: transfers based on sufficient guarantees the data will be protected ○ standard contractual clauses or ad hoc agreements; ○ global corporate rules (like BCRs and CPBRs); ○ public interests; ○ consent; or ○ following approval by the DPA. Chapter V LGPD

10. Data Breaches 10 ● Security incidents that may lead to material risk or harm must be reported, in a reasonable time period, to the national authority (to be the DPA), and affected data subjects. ● The notification should include a: ○ description of the nature of personal data affected; ○ information about affected data subjects; ○ an indication of the technical and safety measures used to protect personal data; ○ risks related to the incident; ○ measures that will be adopted to reverse or mitigate the effects of the incident; and ○ reasons for any delayed notification. ● The DPA may require controllers to adopt measures such as: ○ wide dissemination of the incident to the media; and ○ measures to reverse or mitigate the effects of the incident. Article 48 LGPD

11. Accountability Obligations 11 ● One of the key principles of the LGPD ● Both controllers and processors will need to be able to demonstrate “the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures” ● Includes: ○ Appointment of DPO (subject to ANPD guidance) ○ Processing activities register ○ Impact and Risk Assessments (subject to ANPD guidance) ● Suggestion to develop a privacy compliance program ○ Demonstrating commitment to adopt internal processes and policies that ensure broad compliance ○ Establishing adequate policies and safeguards based on a process of systematic evaluation of the impacts on and risks to privacy ○ Integrate privacy governance into the general governance structure ○ Regular updates Article 6(x) and 50 LGPD

13. Main Characteristics of the ANPD 13

14. Main characteristics of the ANPD 14 ● The ANPD will be part of the Federal Administration and bound to the Executive Office of the President ● Two main bodies of the ANPD are: ○ The Board of Directors: ■ This is the top executive body and is comprised of 5 members, including the Chairman, who has normative, investigatory, and corrective powers ○ The National Data Protection and Privacy Council (aka the Advisory Board): ■ This is a consulting body, comprised of 21 members who are chosen among representatives of different bodies of the administration, the Legislative Branch, the Judicial Branch, and entities representing civil society organizations ● ANPD officials will be appointed based on a reappointment of the budget of the Ministry of the Economy, and the President will have the authority to appoint the Board and Council Members ● Board Members will have a 4 year term, however the terms of office of the first members of the Board will be 2, 3, 4, 5, and 6 years ● Council members will have a 2 year term and reelection is permitted only once ● The Decree will come into force upon publication of the appointment of the Chairman of the Board by the President

15. Powers of the ANPD 15 ● ANPD Responsibilities Includes: ○ Ensuring protection of personal data ○ Editing procedures of protection of personal data ○ Requesting information from controllers and processors, at any time, on processing operations ○ Inspecting and applying sanctions for processing violations ○ Carrying out audits to determine compliance with the LGPD ○ Communicating any criminal offenses to competent authorities ○ Promoting cooperation actions with personal data protection authorities of other countries ○ Ensuring processing of data on the elderly is carried out in a simple, clear, accessible and appropriate way for their understanding ○ Imposing administrative sanctions

16. Powers of the Board of Directors of the Executive Board 16 ● Requesting from Controllers: ○ An impact report on the protection of personal data when processing is based on legitimate interests ○ Supplementary information and carry out checks on processing operations, in the context of approving international data transfers ● Authorizing International Data Transfers: ○ Including evaluating the adequacy of other countries' personal data protection ● Regulating: ○ Communication or shared use of sensitive personal data between controllers for economic advantage ○ Access to personal databases by research bodies when carrying out public health studies ○ Ethical standards related to studies and research: ■ Including the use of anonymization or pseudonymization ○ Portability of personal data between service or product supplies ○ Presentation format of data sent to data subjects upon their request: ■ i.e., that it is provided in a format that allows its subsequent use ○ Communication or shared use of personal data from legal entities under public law to legal entities under private law

17. Powers of the Directing Council of the Executive Board 17 ● Providing: ○ Standards and techniques used in anonymization processes ○ Forms of publicity for data processing operations carried out by legal entities governed by public law ● Determining: ○ Cessation of processing when there is a violation of the LGPD ○ Performance of an audit to verify discriminatory aspects in automated processing of personal data ○ Adoption of correction measures based on the severity of security incidents ○ Deadline to report a data breach ○ Methodologies that will guide the calculation of sanctions

18. Project of Legislative Decree 394/2020 18 ● Key Aspects of the Proposal - More Autonomy for the ANPD: ○ The proposal seeks to suspend certain provisions from Decree No. 10,474 of August 26, 2020 which this deputy believes reduces the autonomy of the ANPD ○ Concerns include: ■ Overarching power by the President, as he appoints the Board of Directors, who in turn appoint an Advisory Board off of a list of criteria established by the Board of Directors ■ Article 37 from Decree No.10,474, which gives the ANPD power to appoint military help when needed, however the military will only respond to the President and not the ANPD ■ The presidency of the CNPD will be exercised by the Representative of the Civil House of the Presidency

20. Regulation Knowledge 20 Source: TrustArc Global Benchmarks Survey 2020

21. Regulation Knowledge 21 Source: TrustArc Global Benchmarks Survey 2020 What is the overall impact of the following regulatory requirements on your business?

22. How to prepare for compliance? 22 1. Understanding your legal requirements under LGPD ○ Ongoing activity - due to yet to be drafted ANPD guidelines 2. Assess your Brazilian data processing operations (+ create register) ○ Processing taking place in Brazil ○ Processing targeting the Brazilian mark ○ Processing personal data from persons in Brazil 3. Document data transfers to and from Brazil 4. Update Individual Rights procedures to deal with LGPD requirements and deadlines 5. Keep documentation of all implementation steps

23. Why TrustArc 23 The Combination of Automation, Intelligence and Dedicated Success Teams This automated, single platform experience delivered through its unique combination of privacy frameworks, intelligence, knowledge and operations. Complete Automation Embedded Deep Intelligence Dedicated to Success Only TrustArc can deliver the depth of privacy intelligence that’s essential to today’s ever- changing digital world combined with a fully-automated platform for end-to-end privacy management. Our comprehensive onboarding with dedicated customer success teams can be augmented with privacy and compliance consulting expertise to build and grow successful privacy programs 23

24. 24 Platform Capabilities PRIVACY SOLUTIONS Regulatory Insights and Monitoring Privacy Program Assessments Risk Management Frameworks and Planning Consent Management Privacy Rights Management Breach Response Audit and Assurance Compliance Monitoring Awareness and Training Task Management and Action Plans Reporting DataCapture Applications External API’s KNOWLEDGE BASE Data Inventory Hub My Company Info Tracker Scans Intelligence System(IoP) Libraries TrustArc Privacy and Data Governance Accountability Framework Law and Regulatory Standards Repository INTELLIGENCE ENGINES Deep Intelligence + Complete Automation How TrustArc Helps: Data Privacy Management Platform

25. TrustArc Resources 25 https://trustarc.com/lgpd-resources/

27. Upcoming Webinars 27 Past Webinars Cookie Consent Regulatory Updates: How to Maintain Compliance September 30, 2020 @ 9:00 PST The Brazilian LGPD is Here: What You Need to Know Free Download How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requirements Free Download

28. © 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.