Part I: Executive Overview and Regulatory Context
1.1 LGPD Jurisdiction and High-Risk Classification
The Lei Geral de
Proteção de Dados (LGPD) imposes stringent requirements on multinational
organizations operating within the Brazilian jurisdiction. The applicability of
the LGPD is established through clear extraterritorial criteria, ensuring that
any processing operations carried out in Brazil, or those involving data
subjects located within the national territory, or activities aimed at offering
goods or services to the Brazilian public, fall under its purview (Art. 4).
Given that the satellite company is actively engaged in the sports betting
sector, directly servicing the Brazilian populace and utilizing infrastructure
within the country, it is definitively subject to these regulations.
The nature of the
company's activities places it squarely within the highest echelon of
regulatory scrutiny due to its classification as a high-risk data processing
agent. The Autoridade Nacional de Proteção de Dados (ANPD) guidance explicitly
defines specific processing activities that elevate the risk profile. The
operations of the satellite entity are deemed high-risk due to two critical,
intersecting factors identified by the Authority.1 First, the organization processes financial data, encompassing transactions, payment methods,
withdrawals, and related monetary controls, which inherently carry relevant
risks of financial harm to the data subjects, such as identity theft or fraud.1
Second, the operation
involves the processing of data on a large
scale.1 In the context of the
betting sector, this scale is determined by the high volume of unique data
subjects, the high frequency of processing activities (e.g., daily
transactions, real-time betting records), and the extensive geographic reach of
the service provision across Brazil. The simultaneous combination of handling
financial data and operating at this significant scale means the organization
must adhere to the strictest interpretation of security requirements and legal
mandates, including the principle of accountability.2 This high-risk classification carries a significant regulatory
consequence: the ANPD may mandate a Data Protection Impact Assessment
(RIPD/DPIA) at any time, and any security lapses will be met with elevated
enforcement scrutiny. Recent ANPD sanctions, even against public institutions,
underscore the Authority’s readiness to enforce failures related to timely
communication and compliance record-keeping involving financial and health
data.3
1.2 Strategic Distinctions: LGPD vs. GDPR Operational Gaps
Organizations accustomed
to the European Union’s General Data Protection Regulation (GDPR) framework
must implement strategic and operational adjustments to accommodate the LGPD’s
often more stringent or nuanced requirements. Understanding these differences
is crucial for the EU parent group to manage compliance resource allocation
efficiently and avoid assuming that existing GDPR processes suffice in the
Brazilian context.
One of the most
immediate and critical operational adjustments required pertains to the speed
of response to Data
Subject Access Requests (DSARs) and security incident notifications.
While the GDPR establishes a general 30-day timeframe for responding to data
access requests (Art. 12, 3), the LGPD imposes a significantly compressed
deadline [Art. 19,
II]. Furthermore, the definition of "reasonable time" for breach
notification has been clarified by ANPD resolution to mandate faster
communication compared to the 72 calendar hours required by the GDPR.
The LGPD also confers
specific, explicit rights upon data subjects that require distinct technical
implementation. A notable example is the explicit right to request the anonymization of data (Art. 18, IV)
that is deemed unnecessary, excessive, or processed non-compliantly.4 This mandate requires robust data mapping capabilities capable
of executing granular, non-reversible anonymization within the data
infrastructure, which is a technical challenge distinct from standard erasure
or rectification procedures.
Finally, while both
regimes rely on legal bases, the LGPD’s offering of 10 bases necessitates
careful selection. This is particularly relevant in high-risk areas like fraud
prevention, where regulatory clarity favors selecting specific, demonstrably
appropriate bases (e.g., Protection of Credit, Art. 7, X) over the broader
Legitimate Interest base. The subsequent table highlights these key operational
distinctions, emphasizing the higher compliance risk associated with the
compressed timelines in Brazil.
Table 1: LGPD vs. GDPR
Critical Operational Distinctions (Strategic Focus)
|
Compliance Domain |
LGPD Requirement (Brazil) |
GDPR Requirement (EU) |
Risk/Implication for Entain |
|
Data Subject Access
Request (DSAR) Deadline |
15 days for
declaration/full access (Art. 19, II) 5 |
30 days (Art. 12, 3) |
High: Requires
localization of PII retrieval systems and highly efficient internal workflow
to avoid non-compliance penalties. |
|
Breach Notification
Deadline (to ANPD) |
3 Business Days
(Resolution 15/2024) 1 |
72 Calendar Hours (Art. 33, 1) |
Critical: Mandates
fast internal decision-making and rapid deployment of the communication plan,
especially given the financial data profile.1 |
|
Anonymization Right |
Explicit right to
request anonymization of excessive/non-compliant data (Art. 18, IV) 4 |
Implicitly part of
erasure/rectification. |
Technical: Requires
advanced data mapping capable of granular, non-reversible anonymization
within the data environment. |
|
Basis for Minors' Data |
Any legal basis
possible, provided "Best Interest" is prioritized 7 |
High preference for
Consent or strict necessity (Context-specific) |
Legal: Requires
demonstrability (Accountability Principle) that minors' best interest was
considered even when relying on bases like Legitimate Interest (if processing
adolescents’ data). |
Part II: Mandatory Foundational Legal and Administrative
Framework
Compliance requires
immediate action on three statutory obligations that establish the backbone of
institutional accountability required for a large-scale data controller in
Brazil.
2.1 The Role of the Encarregado (DPO): Appointment and
Governance (LGPD Art. 5, V, 23)
The formal appointment
of a Data Protection Officer, referred to as the Encarregado, is a mandatory requirement for the Brazilian satellite
company. As a large international group processing high-risk data (financial
and large-scale), the organization does not qualify for any potential
exemptions granted to small businesses.8 The Encarregado is statutorily defined as
the essential communication channel among the Controller, the Data Subjects,
and the ANPD.9
To fulfill this critical
function effectively, the appointed DPO must be capable of effective
communication in Portuguese with
both the Data Subjects and the ANPD. This requirement necessitates a local
Brazilian presence, whether through a dedicated internal employee, a
specialized internal committee, or a contracted third-party firm with
demonstrable local expertise. This local presence is necessary to ensure timely
and contextually accurate regulatory and data subject communications.
Regulatory compliance
mandates the actionable disclosure of the DPO’s contact information. The
identity and contact details (physical or digital address, phone, email) of the
Encarregado must be published
publicly, clearly, and objectively, with the official Brazilian entity website
being the preferred medium for dissemination.8
A necessary
consideration involves managing potential conflicts of interest. The ANPD has
published specific guidance (Res. 18/2024) on the DPO’s roles and potential
conflicts.8 Given the high-risk
nature of the business (betting, financial transactions), the DPO cannot also
be directly responsible for the operational management of the data processing
systems (e.g., Head of IT or Chief Operational Officer), as this creates an inherent
conflict that compromises independent oversight. The global group must ensure
the local DPO role is positioned to exercise authority over compliance
decisions while maintaining functional independence from high-risk business
operations to uphold the accountability principle effectively.
2.2 Data Protection Impact Assessment (RIPD/DPIA) (LGPD Art. 38)
While the LGPD grants
the ANPD the authority to request a
DPIA, known in Brazil as the Relatório de Impacto à Proteção
de Dados (RIPD),
conducting this assessment proactively is a mandatory best practice for
large-scale processing of financial and behavioral data, which intrinsically
carries a "relevant risk or damage".1
The RIPD must be
systematic in its scope, requiring a detailed description of all personal data
processing operations carried out by the Brazilian entity. This description
must be coupled with a thorough assessment of the specific risks posed to Data
Subjects, particularly relating to financial fraud and identity theft, which
are heightened concerns in the betting industry. The assessment must thoroughly
document all mitigating security measures adopted, encompassing both technical
safeguards (e.g., encryption, access controls) and administrative controls
(e.g., training, policies).1
The RIPD must
specifically focus on inherent high-risk elements of the betting sector,
including: the detailed profiling mechanisms used for customer segmentation and
risk scoring; the security infrastructure for the storage and encryption of
financial credentials; and any potential use of sensitive data, such as
biometric data for authentication or detailed data regarding gambling habits.
The preparation of the RIPD is essential for demonstrating institutional
accountability and preparedness against regulatory scrutiny.
2.3 Formalizing International Data Transfers (IDTs) (LGPD Art.
33)
The transfer of personal
data from the Brazilian satellite company (the data "Exportador") to
the EU parent company or other global data centers (the "Importador")
is strictly regulated under LGPD Article 33. The transfer mechanism must be
formalized and often requires ANPD approval.
Until a formal adequacy
decision is reached between the EU and Brazil, compliance dictates the
implementation of recognized safeguards. The most immediate solutions include
implementing LGPD Standard Contractual
Clauses (SCCs) or utilizing Binding
Corporate Rules (BCRs), if they are part of the global structure. The SCCs
must be specific to the LGPD, ensuring that Brazilian legal obligations are
contractually imposed on the receiving entity.10 If minors' data is involved (e.g., age verification checks),
the clauses must incorporate additional safeguards to ensure processing aligns
with the minor's best interest.10
If the Entain Group
relies on Binding Corporate Rules, these BCRs must be submitted to and approved by the ANPD. A critical, and
often overlooked, requirement associated with ANPD-approved BCRs relates to
transparency and access rights. ANPD regulations stipulate that the complete
text of the approved corporate rules must be made available to Data Subjects
upon request within 15 calendar days.12 This timeline is identical to the DSAR access deadline (Art.
19).5 Therefore, the global BCR repository must be integrated into
the Brazilian DSAR workflow, ensuring local teams can retrieve and disseminate
these complex corporate documents rapidly, upholding the strict local access
timeline.
Part III: Nuanced Regulatory Interpretation and Critical
Compliance Questions
Effective LGPD
compliance requires navigating specific regulatory ambiguities, particularly
concerning the selection of legal bases and the operationalization of data
subject rights, incorporating ANPD guidance to ensure correctness.
3.1 Legal Basis Assessment (LGPD Art. 7 & 11)
The reliance on a
correct legal basis is the cornerstone of accountability. Misidentifying the
basis for high-risk activities like fraud prevention, especially involving
financial data, exposes the company to severe sanctions.
3.1.1 Justifying Fraud Prevention and Financial Checks
Fraud prevention is
highly relevant in the betting sector and should be anchored in a specific,
demonstrable legal mandate rather than the broad 'Legitimate Interest'. The
recommended legal bases provide greater certainty:
1.
Protection of Credit
(Art. 7, X): This
is the dedicated legal basis for processing data related to financial checks,
including investigations of financial fraud and solvency verification.13 This is particularly strong if the processing relates to AML
compliance, which requires checks for credit risk and financial irregularity.
2.
Legal Obligation (Art.
7, II): This
basis is superior if regulatory bodies (e.g., financial intelligence or
government regulatory bodies) mandate specific fraud or AML checks.
While Legitimate Interest (Art. 7, IX) can be
used for fraud prevention 13, reliance on it
requires a rigorous Legitimate Interest
Assessment (LIA) to balance the Controller's interest against the Data
Subject’s rights.13 Since there is no legal
hierarchy among the bases 13, choosing a more
specific, regulatory-backed basis (Art. 7, X or Art. 7, II) is strategically
safer for high-volume financial data processing, providing a more robust
defense against challenges of necessity or proportionality.
3.1.2 Data of Children and Adolescents (LGPD Art. 14)
The ANPD’s definitive
interpretation (Enunciado) confirms that the treatment of minors' data (under
18) may rely on any legal basis
(Arts. 7 or 11), provided the Best
Interest of the minor prevails.7
Crucially, if the minor
is a child (under 12), processing
personal data requires the specific and
prominent consent of at least one parent or legal guardian (Art. 14, § 1º).11 The Controller must employ reasonable efforts to verify
parental consent using available technology.11 For a betting platform,
which prohibits minors (18+), the primary compliance goal under Art. 14 is robust exclusion and age verification.
If any minors' data is processed (e.g., during failed registration), the
retention must be justified in the minor's best interest, typically for the
sole purpose of maintaining exclusion records.
3.2 Data Subject Rights (DSARs) Management
3.2.1 Meeting the 15-Day
Deadline (LGPD Art. 19)
The operational mandate
requires establishing systems capable of responding to a full data access
request within the strict deadline of 15
days from the request date.5 The response must be a
clear and complete declaration, detailing the data's origin, the criteria used
for processing, and the explicit finality (purpose) of the treatment.5 This deadline is twice as fast as the typical GDPR timeline (30
days) and necessitates localizing PII retrieval systems and streamlining the
legal review process to ensure consistency in compliance.
3.2.2 The Right to Anonymization (LGPD Art. 18, IV)
The LGPD grants the
explicit right to request the anonymization,
blocking, or elimination of data that is unnecessary, excessive, or treated
non-compliantly.4 This requirement
mandates highly granular and precise data mapping to distinguish data necessary
for regulatory or service continuity purposes from data that is genuinely
excessive (e.g., old behavioral profiles beyond retention limits). The company must invest in
robust data minimization policies and be prepared to demonstrate that only data
strictly necessary for the stated purpose is maintained. Since the ANPD has the
authority to issue standards for anonymization techniques 2, the methods used must be technically sound and
non-reversible.
3.3 Contracts with Operators and Shared Liability (LGPD Art. 39)
The Brazilian satellite
company, acting as the Controller, is ultimately responsible for ensuring that
all data processors (Operators), such as cloud providers and payment gateways,
adhere to the LGPD. Article 39 explicitly requires the Operator to perform
treatment according to the instructions
furnished by the Controller.14
This relationship
carries a significant legal risk due to the LGPD’s establishment of solidary liability, meaning the
Controller and Operator may be held jointly responsible for damages caused by
non-compliant processing.9 To mitigate this risk,
all contracts with Brazilian Operators must be urgently revised to include a
specific LGPD Data Processing Addendum
(DPA).16 This DPA must clearly
define the scope of processing, mandate the Operator to maintain adequate
technical security (Art. 46), require immediate notification of security
incidents, and detail indemnification clauses for breach of instruction.
Part IV: Security Incident Management and Compliance Principles
This section translates
LGPD’s intentionally vague mandates into concrete, actionable security
protocols based on ANPD’s latest regulatory resolutions.
4.1 Breach Notification Protocol: Defining "Reasonable
Time" (LGPD Art. 48)
The ambiguity
surrounding the term "reasonable time" for breach notification has
been removed by ANPD Resolution CD/ANPD nº 15/2024 (April 2024), establishing
clear timelines for communication to the Authority.
4.1.1 Mandatory Deadline to the ANPD
The resolution mandates
that the Controller must communicate the incident to the ANPD within 3 business days of obtaining a
reasonable degree of certainty that the incident occurred.6 This timeline necessitates a rapid, decisive incident response
team capable of confirming the incident's scope and preparing the initial
required notification immediately.
4.1.2 Triggering Criteria: Relevant Risk or Damage
Notification is required
only if the incident can cause
relevant risk or damage to Data Subjects. For a high-risk betting company, this
threshold is almost certainly met, as the criteria explicitly include incidents
involving:
1.
Financial data (related to
transactions).1
2.
Data in large scale (high number of data
subjects/volume).1
3.
Data of authentication (login, passwords,
tokens).1
4.1.3 Communication to Data Subjects
Communication to the Titulares (Data Subjects) must also
occur within a "reasonable time" to allow for mitigation.1 Recent ANPD sanctions confirm that delayed communication (e.g.,
eight months) or non-communication to subjects, even when the ANPD itself was
notified, is considered a grave, sanctionable offense.3 The communication must be clear, non-technical, and explain the
nature of the data involved and the protective measures adopted.1
4.2 Review of Principles: Necessity and Non-Discrimination (LGPD
Art. 6, 20)
4.2.1 The Principle of Necessity
Data processing must be
limited to the minimum necessary for the achievement of its purposes (Art. 6,
III). For the betting sector, this requires a rigorous audit to justify the
collection and retention of every
data point, ensuring no excessive behavioral data is collected beyond what is
strictly required for service delivery, regulatory compliance, or essential
fraud prevention.
4.2.2 Non-Discrimination (Automated Decision-Making)
As the company uses
algorithms for profiling (risk scoring, automated rejection of services),
compliance with Article 20 is essential to prevent automated systems from
introducing or replicating biases (racial, socioeconomic, political, etc.).18 The objective is not merely non-discriminatory intent, but a
non-discriminatory outcome.
To manage this
algorithmic accountability, the ANPD's technical guidance suggests several
actionable mitigations.20 The compliance team
must implement: (1) Periodic Monitoring
and Audits of the algorithms; (2) Human
Oversight to review decisions made entirely by machines; and (3) a Right to Explanation mechanism (Art.
20), allowing data subjects to request clear information about the automated
criteria used to reach a decision (e.g., why a risk score was assigned).19 Furthermore, conducting a Human Rights Impact Assessment (HRIA)
is suggested to proactively mitigate biases in AI systems.20
Part V: Implementation Roadmap and Accountability (LGPD Art. 6)
This operational roadmap
outlines the steps required to transition from legal strategy to
institutionalized data governance, grounded in the Accountability Principle.
5.1 Step 1: Data Inventory & Mapping (Foundation)
The objective is to
create a comprehensive and living Registro
de Operações de Tratamento (ROT) of all data flows within the Brazilian
entity. This involves identifying all systems processing PII and sensitive
data, categorizing data by type (financial, behavioral) and data subject.
Crucially, the process must assign the specific LGPD Legal Basis (Art. 7 or 11) and the retention period for every data set, establishing a
defensible record of processing.
5.2 Step 2: Review of Principles and Data Minimization
The objective is to
validate that all identified processing activities adhere to the 10 LGPD
principles, focusing intensely on Necessity
and Non-Discrimination. This requires a systemic challenge of all data
fields to prove they are strictly necessary for the stated purpose. Any
processing relying on Legitimate Interest must be documented through a rigorous
LIA to ensure the Controller’s interest is balanced against the Data Subject’s
rights.13
5.3 Step 3: Update Privacy Notices
The objective is to
draft a Privacy Policy (Política de
Privacidade) in Portuguese that
is clear, accurate, and easily accessible. The policy must explicitly state the
Controller's identity, the purpose and duration of processing, the specific
LGPD legal bases relied upon, the DPO's contact information, and detailed
information on international data sharing with the EU parent company.9 Transparency regarding automated decision-making processes must
also be included.
5.4 Step 4: Implement a Robust DSAR Process
The objective is to
establish a formal, free-of-charge channel for Data Subject Requests (DSARs)
and implement a workflow designed to consistently meet the strict 15-day response deadline.5 This requires developing standardized processes for all Art. 18
rights (Access, Correction, Anonymization) and implementing robust identity
verification procedures (KYC) to prevent unauthorized disclosure.21
5.5 Step 5: Technical Security Audit and Operator Vetting
The objective is to
verify that technical and administrative security measures (Art. 46) align with
LGPD standards. This involves conducting a penetration test focused on
financial data protection. Crucially, all third-party Operator contracts must be audited, and the required instructions
and solidary liability clauses must be formally integrated via a DPA.14
5.6 Step 6: Training, Reporting, and Accountability
Institutionalization
The final objective is
to embed the LGPD into corporate culture and maintain records to demonstrate
compliance to the ANPD. This necessitates mandatory, recorded training for all
Brazilian employees. The DPO must be institutionalized as a key advisor. The
organization must maintain meticulous records of processing activities (ROT),
RIPDs, and all DSAR and incident responses to prove regulatory adherence upon
ANPD request.
Works
cited
1. ANPD
aprova Regulamento de Comunicação de Incidente de Segurança | Insights,
accessed October 26, 2025, https://www.mayerbrown.com/pt/insights/publications/2024/05/anpd-approves-data-breach-notifying-regulation
2. O
papel da Autoridade Nacional de Proteção de Dados Pessoais (ANPD) conforme a
nova Lei Geral de Proteção de Dados Pessoais (LGPD) - Centre for Information
Policy Leadership, accessed October 26, 2025, https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/[pt]_cipl-idp_paper_on_the_role_of_the_anpd_under_the_lgpd__04.17.2020_.pdf
3. ANPD
aplica as primeiras sanções de 2024 | Insights | Mayer Brown, accessed October
26, 2025, https://www.mayerbrown.com/pt/insights/publications/2024/02/anpd-applies-first-sanctions-of-2024
4. Direitos
do Titular - LGPD – Lei Geral de Proteção de Dados - TRF5, accessed October 26,
2025, https://www.trf5.jus.br/index.php/lgpd/lgpd-direitos-do-titular
5. Artigo
19: Requisições do Titular de Dados Pessoais - Capítulo 3 - LGPD, accessed
October 26, 2025, https://lgpd-brasil.info/capitulo_03/artigo_19
6. ANPD
publica Resolução sobre Comunicação de Incidentes de Segurança - DANIEL LAW,
accessed October 26, 2025, https://www.daniel-ip.com/pt/client-alert/anpd-publica-resolucao-sobre-comunicacao-de-incidentes-de-seguranca/
7. ANPD
divulga Enunciado sobre o Tratamento de Dados Pessoais de Crianças e
Adolescentes | Insights | Mayer Brown, accessed October 26, 2025, https://www.mayerbrown.com/pt/insights/publications/2023/05/brazilian-anpd-publishes-statement-on-youth-data-processing
8. Guia
prático para agentes de tratamento | Mattos Filho, accessed October 26, 2025, https://www.mattosfilho.com.br/wp-content/uploads/2025/01/mattos-filho-guia-pratico-para-agentes-de-tratamento.pdf
9. Guia
Orientativo para Definições dos Agentes de Tratamento de Dados Pessoais e do
Encarregado - Portal Gov.br, accessed October 26, 2025, https://www.gov.br/anpd/pt-br/centrais-de-conteudo/materiais-educativos-e-publicacoes/2021.05.27GuiaAgentesdeTratamento_Final.pdf
10. CLÁUSULAS-PADRÃO CONTRATUAIS | Google Cloud
Documentation, accessed October 26, 2025, https://cloud.google.com/sccs/br-c2p?hl=pt-br
11. Artigo
14: Dados pessoais de crianças e adolescentes - Capítulo 2 - LGPD, accessed
October 26, 2025, https://lgpd-brasil.info/capitulo_02/artigo_14
12. Novo
Regulamento da ANPD: Transferências Internacionais ..., accessed October 26,
2025, https://www.mayerbrown.com/pt/insights/publications/2024/08/new-anpd-regulation-international-data-transfers
13. Contribuições
no Documento Opine - Aqui - Portal Gov.br, accessed October 26, 2025, https://www.gov.br/anpd/pt-br/acesso-a-informacao/participacao-social/outras-acoes/documentos/contribuicoes_ts_05_22_ii_ocultado.pdf
14. Artigo
39: Obrigações do Operador em relação ao Controlador - Capítulo 6 - DOS AGENTES
DE TRATAMENTO DE DADOS PESSOAIS - LGPD Brasil, accessed October 26, 2025, https://lgpd-brasil.info/capitulo_06/artigo_39
15. Article 39: Obligations of the Operator
Towards the Controller - Chapter 6 - LGPD Brazil, accessed October 26, 2025, https://lgpd-brazil.info/chapter_06/article_39
16. DA
PROTEÇÃO DE DADOS PESSOAIS XXXX [NÚMERO ORDINAL] TERMO ADITIVO AO CONTRATO N.º
XXXX/XXXX, PROTOCOLO N. - PGE-PR, accessed October 26, 2025, https://www.pge.pr.gov.br/sites/default/arquivos_restritos/files/documento/2022-08/minuta_reol_160-2022.pdf
17. minuta-termo-aditivo-lgpd-ncp-atualizado-co-controladores.docx
- Portal Gov.br, accessed October 26, 2025, https://www.gov.br/mme/pt-br/assuntos/orgaos-vinculados/nuclep/acesso-a-informacao/compras-e-servicos/licitacoes/2024/arquivos/chamamento-003-2024/minuta-termo-aditivo-lgpd-ncp-atualizado-co-controladores.docx
18. O
DEVER DE JUSTIFICAR DECISÕES BASEADAS EM INTELIGÊNCIA ARTIFICIAL PARA EVITAR O
PRECONCEITO E A DISCRIMINAÇÃO - JusLaboris, accessed October 26, 2025, https://juslaboris.tst.jus.br/bitstream/handle/20.500.12178/215795/2023_araujo_jailson_dever_justificar.pdf?sequence=2&isAllowed=y
19. O
DIREITO À REVISÃO DAS DECISÕES AUTOMATIZADAS DE RECONHECIMENTO FACIAL E O
PRINCÍPIO ANTROPOCÊNTRICO - Index Law Journals, accessed October 26, 2025, https://www.indexlaw.org/index.php/rdb/article/download/8569/7040/29350
20. Inteligência
Artificial: ANPD publica nota técnica sobre decisões ..., accessed October 26,
2025, https://lefosse.com/noticias/inteligencia-artificial-anpd-publica-nota-tecnica-sobre-decisoes-automatizadas/
21. Contribuição
Data Privacy Brasil - Tomada de Subsídios Direitos dos Titulares - Portal
Gov.br, accessed October 26, 2025, https://www.gov.br/anpd/pt-br/acesso-a-informacao/participacao-social/outras-acoes/documentos/ts_02-_2024__contribuicoes.pdf
Glossary
|
Term/Acronym
(Portuguese/English) |
Definition |
|
ANPD (Autoridade Nacional de Proteção de Dados) |
The Brazilian National
Data Protection Authority, the governmental regulatory body responsible for
LGPD enforcement, sanction application, and providing regulatory guidance.1 |
|
Anonymization |
A technique that prevents
the direct or indirect association of data with an identified or identifiable
individual. The LGPD grants Data Subjects the explicit right to request the
anonymization of excessive or non-compliant data.2 |
|
BCRs (Binding
Corporate Rules) |
Internal corporate rules
governing international data transfers within a multinational group. If
approved by the ANPD, the complete rules must be disclosed to Data Subjects
within 15 days upon request.3 |
|
Controller (Controlador) |
The natural or legal
person, public authority, or entity responsible for making decisions
regarding the processing of personal data.4 |
|
Data Subject (Titular) |
The natural person to whom
the personal data being processed belongs.2 |
|
DPIA (Data
Protection Impact Assessment) |
The formal assessment of
risks associated with high-risk personal data processing activities, required
under the LGPD (called RIPD in Brazil).6 |
|
DPO (Data
Protection Officer) / Encarregado |
The mandatory
communication channel between the Controller, the Data Subjects, and the
ANPD. This role requires public disclosure of contact information.7 |
|
DSAR (Data Subject
Access Request) |
A formal request from a
Data Subject to exercise their rights, such as accessing their data or
requesting correction, anonymization, or elimination.2 |
|
GDPR (General Data
Protection Regulation) |
The foundational data
protection law of the European Union, often used as a comparative benchmark
for LGPD requirements.1 |
|
LGPD (Lei Geral de Proteção de Dados) |
Brazil's comprehensive
General Data Protection Law (Law No. 13.709/2018), which governs the use and
protection of personal data in the country. |
|
Legitimate Interest
(Art. 7, IX) |
A legal basis that allows
processing based on the legitimate interests of the Controller, provided a
formal assessment (LIA) balances these interests against the Data Subject's
rights and freedoms.7 |
|
Necessity Principle |
The LGPD principle (Art.
6, III) that processing must be limited to the minimum necessary for the
achievement of its stated purpose, mandating strict data minimization.8 |
|
Non-Discrimination
Principle |
The LGPD principle (Art.
20) that automated processing should not result in unlawful or abusive
discriminatory effects.9 |
|
Operator (Operador) |
The natural or legal
person or entity that processes personal data on behalf of the
Controller, acting solely based on the Controller's instructions.10 |
|
Protection of Credit
(Art. 7, X) |
A specific legal basis
that authorizes the processing of personal data necessary to protect credit,
commonly used for financial fraud prevention and solvency checks.7 |
|
RIPD (Relatório de Impacto à Proteção de Dados) |
The Portuguese name for
the Data Protection Impact Assessment (DPIA) mandated by LGPD Article 38.6 |
|
ROT (Registro de Operações de Tratamento) |
The formal Record of
Processing Activities required under the LGPD (Art. 37), which large
organizations must maintain and produce upon ANPD request.12 |
|
SCCs (Standard
Contractual Clauses) |
Formal contractual clauses
used to legally govern international data transfers, ensuring the recipient
adheres to LGPD standards.13 |
|
Solidary Liability |
The legal principle under
the LGPD (Art. 42) where the Controller and Operator can be held jointly
responsible (solidariamente) for damages resulting from non-compliant
data processing.4 |
The report highlights several sections of the LGPD that
require nuanced interpretation or introduce operational mandates that differ
significantly from other global frameworks like the GDPR, particularly where
the ANPD has provided clarifying guidance.
Here are the LGPD Articles that contain critical nuances
for compliance:
|
LGPD Article |
Area of Compliance |
Key Nuance or
Clarification |
|
Art. 4 |
Territorial Scope |
Establishes clear
extraterritorial criteria, ensuring that any offering of services targeting
the Brazilian public is definitively subject to LGPD jurisdiction. |
|
Art. 7, 7, X, and 11 |
Legal Bases (Fraud
Prevention) |
While 10 legal bases
exist, ANPD guidance suggests that for high-risk activities like financial
fraud prevention, specific bases such as Protection of Credit (Art. 7,
X) may provide a more robust and defensible legal anchor than the broader
Legitimate Interest (Art. 7, IX).1 |
|
Art. 14 |
Data of Minors
(Children & Adolescents) |
The ANPD's definitive
stance (Enunciado) is that the processing of minors' data can rely on any
legal basis (Arts. 7 or 11), provided the Best Interest of the minor
prevails. However, data of children (under 12) still requires specific
and prominent parental consent (Art. 14, § 1º).2 |
|
Art. 18, IV |
Data Subject Rights
(Anonymization) |
Grants an explicit,
standalone right to request the anonymization, blocking, or elimination
of unnecessary, excessive, or non-compliant data.4 This mandates a
greater technical capability for non-reversible anonymization compared to a
standard GDPR erasure request. |
|
Art. 19, II |
Data Subject Access
Request (DSAR) Deadline |
Imposes a strict deadline
of 15 days for providing a full, clear, and complete declaration of
data processing upon request, which is significantly faster than the 30-day
period commonly used under the GDPR.5 |
|
Art. 20 |
Automated
Decision-Making |
Establishes the right to
request a review and explanation of automated decisions. Compliance requires
mechanisms such as human oversight, periodic audits, and a Right to
Explanation to ensure algorithms adhere to the Non-Discrimination
Principle.6 |
|
Art. 33 |
International Data
Transfers (BCRs) |
If Binding Corporate Rules
(BCRs) are used as a mechanism for international transfer, the complete text
of these rules, once approved by the ANPD, must be made available to Data
Subjects within a rapid timeframe of 15 days upon request.8 |
|
Art. 39 |
Operator Contracts |
Requires the Operator to
perform treatment strictly according to the Controller's instructions.9
This is critical because the LGPD establishes solidary liability
(joint responsibility) between the Controller and Operator for damages caused
by non-compliance.11 |
|
Art. 48 |
Security Incident
Notification |
Mandated notification of
incidents to the ANPD within a "reasonable time." This
"reasonable time" was formally clarified by ANPD Resolution 15/2024
to be 3 business days from the confirmation of the incident, imposing
a stringent, defined deadline.12 |
The LGPD mandates highly specific, often accelerated,
operational requirements compared to other global frameworks. For Entain,
compliance with Article 19 (Data Subject Rights) and Article 33 (International
Data Transfers) requires significant technical integration and adherence to
strict local deadlines.
Here is a detailed breakdown of the requirements and the
implementation strategy for Entain's Brazilian satellite company:
Detailed Compliance Strategy: LGPD Articles 19 and 33
A. LGPD Article 19: Data Subject Rights (DSAR)
Management
Article 19 defines the speed and completeness required
for responding to Data Subject Access Requests (DSARs). For a high-volume data
controller like Entain, which processes financial data and automated profiles,
the implementation must focus on automation and security to meet the aggressive
deadline.
1. The Core Requirement: 15-Day Deadline
The LGPD mandates that the Controller must provide the
Data Subject with a full access response, called a "clear and complete
declaration," within a maximum deadline of 15 (fifteen) days
from the request date (Art. 19, II).1 This compressed timeline—half
the standard 30-day period often seen in other jurisdictions—is the single
greatest operational challenge for DSAR management in Brazil.
2. Entain’s Operational Strategy for Article 19
|
Compliance Requirement |
Actionable
Implementation Detail for Entain |
Citation |
|
Establish Secure
Channel |
Implement a formal,
free-of-charge, and secure digital channel (e.g., a dedicated web portal or
API connection) to receive all requests stemming from the 11 rights granted
under LGPD Article 18 (Access, Correction, Anonymization, etc.). |
2 |
|
Mandatory Identity
Verification |
Establish robust Know Your
Customer (KYC) processes integrated into the DSAR workflow. Given the
financial and highly sensitive nature of betting data, verification of the
Data Subject's authenticity must be performed securely before
releasing any information to prevent identity theft or fraudulent access.3 |
3 |
|
Deliver "Clear and
Complete" Response |
The response within 15
days cannot simply be a raw data dump. It must be a structured declaration
that clearly specifies: the origin of the data (e.g., collected directly, or
via payment processor), the explicit finality (purpose) of the processing,
and the criteria used for automated decision-making (relevant for risk
profiles or betting limits).1 |
1 |
|
Address Anonymization
Requests |
Integrate the capability
to handle the explicit right to request the anonymization of data
(Art. 18, IV) that is deemed unnecessary or excessive. This requires granular
data mapping to ensure the technical execution of non-reversible
anonymization within the data infrastructure.2 |
2 |
|
Internal SLA Management |
The internal team (Legal,
Privacy, and IT) must adopt a Service Level Agreement (SLA) significantly
shorter than 15 days (e.g., 5-7 days for data retrieval and 3 days for legal
review) to build a buffer against system delays and ensure consistent compliance. |
1 |
B. LGPD Article 33: International Data Transfers
(IDTs)
Article 33 governs the transfer of personal data outside
Brazil, a critical concern as the satellite entity sends data back to the EU
parent company (Entain) or other global centers.
1. The Core Requirement: Formalizing Safeguards
The transfer of data must be covered by one of the valid
mechanisms prescribed by the LGPD, such as the use of Standard Contractual
Clauses (SCCs) or Binding Corporate Rules (BCRs), especially since Brazil and
the EU have not yet adopted a formal adequacy decision.
2. Entain’s Formalization and Operational Strategy
|
Compliance Requirement |
Actionable
Implementation Detail for Entain |
Citation |
|
Select and Implement
Mechanism |
Entain must formally
implement either LGPD-specific Standard Contractual Clauses (SCCs) or
the global entity’s Binding Corporate Rules (BCRs). |
4 |
|
Disclosure Timeline for
BCRs |
If the company relies on BCRs,
these global rules must be submitted to and approved by the ANPD. Crucially,
the complete text of the approved BCRs must be made available to Data
Subjects upon request within the strict timeframe of 15 (fifteen) calendar
days. This mirrors the DSAR access deadline and requires seamless
integration of the corporate legal repository with the local Brazilian DSAR
response workflow.5 |
5 |
|
SCCs: Best Interest of
Minors |
If using SCCs, the clauses
must include additional safeguards regarding the transfer of data
related to children or adolescents. The receiving entity (the
"Importador," e.g., the EU parent) must contractually guarantee
that processing aligns with the minor's best interest, as required by
Brazilian law (Art. 14, Art. 33).4 |
4 |
|
Transfer Reporting
Obligation |
Regardless of the
mechanism chosen, the data receiving entity (the Importador) must be
contractually obligated to comply with LGPD incident notification rules,
including communicating a security incident that poses relevant risk or
damage to the ANPD within 3 (three) business days.4 |
4 |
No comments:
Post a Comment