LGPD FAQ (for third-party data subjects)
In some cases, our data processing activities fall under Brazilian data protection laws. Snov.io complies with Brazil’s General Data Protection Act (LGPD) and implements appropriate technical and organizational measures to ensure secure processing and transfer of personal data.
What is the LGPD?
Brazil’s General Data Protection Act (Lei Geral de Proteção de Dados), or LGPD, is a privacy and security law created for protection of personal data in Brazil. LGPD was enacted on August 14, 2018.
Under the LGPD, any information that makes it possible to identify an individual can be considered personal data.
The key definitions of the LGPD are similar to the GDPR. For example, there are two main roles that a company can take on when processing personal data – data controller and data processor.
A data controller is an entity in charge of making the decisions regarding the processing of personal data, while a data processor is an entity that processes personal data on behalf of a data controller. However, unlike the GDPR, the LGPD does not explain the definition of a joint controller, but the concept of joint controllership was introduced by ANPD (Brazil’s data protection authority) in its guidelines.
If a company fails to comply with LGPD requirements, a national authority, i.e. ANPD may apply the administrative sanctions against such a company, including fines of up to 2% of the company’s revenue in its last fiscal year, excluding taxes, capped at R$ 50,000,000 (approximately USD 10,000,000) per infraction.
How long do we process your personal data?
We process your personal data either as a joint data controller with our clients or as a data processor on behalf of and under the directions of our clients.
When we act as a data controller jointly with other controllers, we store your personal data for the entire period the particular client uses our services and 3 months after the termination of their account on our platform.
In some cases, two or more clients provide your data to us simultaneously. In such a case, we store your personal data during the entire period during which one of such clients uses our services and 3 months after.
When we act as a data processor, we process your personal data only for the period of time specified by the client.
What is the legal basis for your personal data processing?
When we act as a data processor, we process your personal data only on the сlients’ behalf and due to their directions.
We urge our clients to ensure the presence of the legal grounds for the processing of your personal data in accordance with requirements provided by Article 7 of the LGPD and believe that clients have the appropriate legal basis to transmit your personal data to us, including by obtaining valid consent from data subjects to do so.
What rights do you have under the LGPD?
Article 18 of the LGPD provides you with the following rights:
- right to confirmation of the existence of the processing;
- right to access the data;
- right to correct incomplete, inaccurate or out-of-date data;
- right to anonymize, block, or delete unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD;
- right to the portability of data to another service or product provider, by means of an express request;
- right to delete personal data processed with the consent of the data subject;
- right to obtain the information about the possibility of not giving consent and about the consequences of the refusal;
- right to obtain the information about public and private entities with which the controller has shared data;
- right to revoke consent.
You may exercise these rights by submitting your request at email@example.com or via live chat in the lower right corner.
Please note that we cannot fulfil the request if we cannot verify your identity and confirm the personal data relates to you. So make sure to provide your name, contact information, and details in your request. We process such information only to verify your identity and not for anything else.
Can you request to provide you with a copy of your personal data?
Yes, you can by submitting your request at firstname.lastname@example.org or via live chat in the lower right corner.
You may also request the following information regarding the processing of your personal data under the LGPD:
- the specific purpose of the processing;
- the type and duration of the processing, being observed commercial and industrial secrecy;
- identification of the controller;
- the controller’s contact information;
- information regarding the shared use of data by the data controller and the purpose;
- responsibilities of the agents that will carry out the processing;
- the data subject’s rights;
We are committed to providing you with a copy of your personal data within a period of 15 days from the date of your valid request, subject to commercial and industrial secrecy unless otherwise implied by Brazil’s laws.
We cannot fulfil the request if we cannot verify your identity and confirm the personal data relates to you, so please make sure to provide your name, contact information, and details in your request. We process such information only to verify your identity and not for anything else.
Can you delete your data?
You have the right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD. In your request, please provide enough details to allow us to understand your justifications, evaluate and respond to the request.
You also have the right to delete personal data processed with the consent of the data subject. You have a right to request permanent deletion of your data, subject to certain exceptions (for example, if we have other legal grounds to process your personal data.)
We cannot fulfill the request if we cannot verify your identity and confirm the personal data relates to you, so please make sure to provide your name, contact information, and details in your request. We process such information only to verify your identity and not for anything else.