Personal Data Protection (LOPDP)

1. Scope of application

Law 172-13 applies to personal-data processing recorded in databases of the public and private sectors, with exceptions for exclusively personal or domestic processing and certain State activities under specific regimes. The definition of personal data is broad and extends to any information about an identified or identifiable natural person.

2. Guiding principles

Recognized principles are consistent with regional standards:

• Legality and consent: processing requires informed consent unless specific legal exceptions apply.
• Purpose: data must be collected for explicit and legitimate purposes; further processing must be compatible.
• Proportionality and quality: data must be accurate, complete and limited to what is necessary.
• Confidentiality and security: duty to adopt reasonable technical and organizational measures.
• Fairness: processing must be fair and non-deceptive.

3. ARCO rights

The data subject is entitled to:

• Access: know which data are processed and by whom.
• Rectification: require correction of inaccurate or incomplete data.
• Cancellation: require deletion when processing is no longer justified.
• Opposition: oppose processing on legitimate grounds relating to the subject's particular situation.

These rights are exercised before the data controller and, upon denial or silence, before authorities or courts via constitutional habeas data.

4. Special data categories

The law recognizes the sensitive character of certain categories —health, ethnic, religious, ideological, identification biometrics— and subjects their processing to stricter requirements. In practice, health and financial data attract the most attention due to sectoral concentration of disputes and complaints.

5. Credit-reporting bureau

Law 172-13 absorbs and develops the prior credit-reporting regime, defining:

• The subject's right to know their credit information and require rectification.
• Maximum retention periods for negative information.
• Bureau and contributor obligations.
• Supervision and complaint mechanisms.

6. International transfers

The current regime treats international transfers in limited fashion. Common business practice, especially for EU flows, contemplates: Standard Contractual Clauses (SCCs) or successor instrument; adequacy analysis of the receiving country; supplementary measures where necessary (encryption, pseudonymization); clear contractual recording of guarantees. For Brazil flows under LGPD, equivalent mechanisms. Adopting a modern domestic transfer regime is among pending matters.

7. Security and breach notification

A general security duty exists, but operational detail —notification timelines and format to authority and affected subjects— is underdeveloped. Best practice: voluntarily adopt a GDPR/LGPD-aligned incident response protocol (72-hour authority notification absent low risk; subject communication when high risk; minimum content; internal log; lessons learned).

8. Processors and contracts

The figure of the processor (encargado), acting on behalf of the controller, requires a written contract defining purposes, instructions, retention, security measures and return/destruction obligations at termination. These contracts are a common non-compliance point in practice.

9. Articulation with other frameworks

Data protection in DR articulates with: Law 53-07 (cybercrime), Law 200-04 (public information access, which sets the transparency/privacy boundary), Law 153-98 (electronic-communications inviolability), and sector-specific regulation in finance, health and telecom. A significant digital project typically requires articulating all of these planes.

10. Toward a new framework

Proposals and discussions for a GDPR/LGPD-aligned new framework exist. Any serious reform will likely address: an independent and operational authority; expanded legal bases; the accountability principle; mandatory DPO in defined cases; impact assessments; detailed international-transfer regime; mandatory breach notification; and effective sanctioning regime. Companies preparing today with GDPR/LGPD standards will be best positioned for the transition.