26 Mar THE FEDERAL COUNCIL OF MEDICINE IN BRAZIL PUBLISHES CONCERNING NORMATIVE RULING ON DATA PRIVACY
Following the same strategy as some Brazilian courts, as the Court of Justice of São Paulo and the High Labor Courts, today (22.3), the Federal Council of Medicine (“CFM“) published Normative Ruling No. 3 (“IN 3”), which provides the Data Privacy Policy (“PPD“) of Individuals in the scope of CFM and of the Regional Councils of Medicine (“CRM“).
The PPD establishes principles and standards that should guide the processing of personal data, in physical and digital format, in the CFM and in the CRMs, in order to ensure the protection of the privacy of the data subjects, as well as defines roles and sets initial guidelines to achieve the gradual compliance of the CFM and of the CRMs to the provisions set forth in the Brazilian General Data Protection Law (“LGPD“).
As in Privacy Policies of other public bodies, IN 3 defined that the Controller within CFM and CRMs will be the highest authority of the body; and the Processor is considered the occupant of the top management of the body, i.e., employees of CFM and CRMs. These definitions draw attention, as they are at odds with the very terms established in article 3, XVIII and XIX of IN 3 (which are based on the LGPD) and the LGPD itself.
Still, CFM seems to confuse the concepts of Controller and Data Protection Officer, since when analyzing the Controller’s competencies provided for in article 7 of IN 3 we find attributions that, according to the terms of the LGPD, are competencies of the Data Protection Officer, such as:
(i) Establish the Information Security and Personal Data Protection Management Committee and define its respective attributions based on the LGPD;
(ii) provide instructions for the personal data governance policy and respective programs;
(iii) to verify compliance with the instructions and rules on the matter in the institution;
(iv) communicate to the National Authority and the data subject, within a reasonable time, the occurrence of security incidents with the personal data, which may cause relevant damage or risk to the data subject; and
(v) encourage the dissemination of the culture of personal data privacy in CFM and CRMs.
Given this concerning scenario, we understand the need for immediate intervention by the ANPD to assist the public administration in defining these basic concepts and avoid equivocal reproduction, avoiding the creation of a legal atmosphere in which the very application of the LGPD is impossible.
The IN 3 comes into effect on the date of its approval and may be fully accessed here.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from Kestener & Vieira Advogados concerning the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.
No Comments