Data Controller Obligations
Comprehensive framework of obligations that Law 21.719 imposes on data controllers, establishing specific duties of information, documentation, security and proactive accountability in personal data protection.
Proactive Accountability
The controller must demonstrate compliance with obligations through documented technical and organizational controls.
Duty to Inform
Obligation to provide clear, accurate and complete information to data subjects about the processing of their personal data, at the time of collection or before processing begins.
Mandatory Information
- Identity and contact details of the controller
- Contact details of the data protection officer
- Purposes of processing and legal basis
- Categories of personal data processed
- Recipients or categories of recipients
- Planned international transfers
- Retention period or criteria for determining it
- Data subject rights and procedures to exercise them
Information Modalities
- Layered privacy notices
- Just-in-time contextual information
- Accessible privacy policies
- Notifications of substantial changes
Record of Processing Activities
Maintenance of a detailed and updated record of all processing activities under their responsibility, available to the Data Protection Agency when required.
Record Content (ROPA)
- Name and contact details of the controller
- Purposes of processing for each activity
- Description of categories of data subjects
- Categories of personal data processed
- Categories of data recipients
- International transfers and safeguards
- Planned deletion periods
- Technical and organizational security measures
ROPA Management
- Mandatory periodic updates
- Immediate availability for inspections
- Integration with governance processes
Security Measures
Implementation of appropriate technical and organizational measures to ensure a level of security adequate to the processing risk, considering the state of the art and implementation costs.
Technical Measures
- Pseudonymization and data encryption
- Ability to ensure confidentiality
- Ability to ensure integrity
- Ability to ensure availability
- Testing and evaluation procedures
Organizational Measures
- Documented security policies
- Staff training
- Access and privilege management
- Incident response procedures
Security Breach Notification
Obligation to notify the Data Protection Agency of security breaches that may pose a risk to the rights and freedoms of natural persons, within a period not exceeding 72 hours.
Notification Criteria
- High risk to rights and freedoms
- Massive impact on data subjects
- Sensitive data involved
- Possibility of discrimination or fraud
Notification Content
- Description of the nature of the breach
- Approximate number of affected data subjects
- Probable consequences of the breach
- Measures adopted or proposed
Data Processor Management
When processing is carried out on behalf of the controller, they must ensure that processors offer sufficient guarantees to implement appropriate technical and organizational measures.
Processor Selection
- Assessment of technical guarantees
- Assessment of organizational guarantees
- Verification of sectoral experience
- Analysis of security measures
Processing Agreement (DPA)
- Subject matter and duration of processing
- Purpose of processing
- Categories of personal data
- Obligations and rights of the controller
- Specific security measures
Impact Assessments
Conducting Data Protection Impact Assessments (DPIA) when processing, particularly through the use of new technologies, may pose a high risk to rights and freedoms.
Mandatory Cases
- Systematic and comprehensive evaluation
- Large-scale processing of special categories
- Systematic monitoring of public access areas
- New technologies with high risk
DPIA Content
- Systematic description of processing
- Assessment of necessity and proportionality
- Assessment of risks to rights and freedoms
- Measures planned to address risks
Organizational Compliance Framework
Effective implementation of controller obligations requires a systematic approach that integrates legal, technical and organizational aspects into a coherent data governance framework.
Compliance Audit
Comprehensive assessment of the current state of data processing, identification of regulatory gaps and mapping of information flows in the organization.
Policy Design
Development of internal regulatory frameworks that establish clear procedures for compliance with each specific controller obligation.
Technical Implementation
Deployment of technical and organizational measures, including consent management systems, ROPA and incident response procedures.
Continuous Monitoring
Establishment of supervision and continuous improvement systems that ensure maintenance of compliance in the face of regulatory and operational changes.
Key Compliance Indicators (KPI)
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
