Flag of Brazil



Article 50

Rules of Good Practice and Governance

Controllers and operators, within the scope of their competences, for the processing of personal data, individually or through associations, may formulate rules of good practice and governance that establish the conditions of organization, the operating regime, the procedures, including holder complaints and petitions, safety standards, technical standards, specific obligations for the various parties involved in processing, educational actions, internal supervisory and risk mitigation mechanisms and other aspects related to data processing personal.

  • 1. In establishing rules of good practice, the controller and the operator shall take into consideration, with regard to processing and data, the nature, scope, purpose and likelihood and severity of the risks and benefits arising from data processing. of the holder.
  • 2. In the application of the principles indicated in items VII and VIII of the caput of art. 6 of this Law, the controller, observing the structure, scale and volume of its operations, as well as the sensitivity of the data processed and the probability and severity of the damage to the data subjects, may:
    • I - implement a privacy governance program that, as a minimum:
      • (a) demonstrate the controller's commitment to adopt internal processes and policies that ensure comprehensive compliance with standards and best practices regarding the protection of personal data;
      • (b) apply to any set of personal data under its control, regardless of how it was collected;
      • (c) be adapted to the structure, scale and volume of its operations, as well as the sensitivity of the data processed;
      • (d) establish appropriate policies and safeguards based on the process of systematic impact and privacy risk assessment;
      • (e) has the objective of establishing a relationship of trust with the holder through transparent action and ensuring mechanisms for the holder's participation;
      • (f) is integrated with its general governance structure and establishes and applies internal and external oversight mechanisms;
      • (g) rely on incident response and remediation plans; and
      • (h) is constantly updated based on information obtained from continuous monitoring and periodic evaluations;
    • II - demonstrate the effectiveness of its governance program in privacy when appropriate and, in particular, at the request of the national authority or other entity responsible for promoting compliance with good practices or codes of conduct, which independently promote the compliance with this law.
  • 3 The rules of good practice and governance shall be published and updated periodically and may be recognized and disclosed by the national authority.