Instituted in 2018, the General Data Protection Law (LGPD) has been in force since September 2020 and regulates the collection, storage, processing, deletion and sharing of personal data in physical or digital media.
But what is the impact of LGPD on light fleet management? The LGPD brought substantial changes to the sector, due to the large volume of personal data that is collected and processed daily in light fleet operations.
Read more: Fleet management: prepare a good plan for 2023
Therefore, in order for you to adapt to this change, we have separated throughout this article the main information regarding the LGPD in the management of light fleets. Follow:
What is the LGPD, Brazil’s General Data Protection Act?
Is the General Data Protection Law already valid?
What is charged in the LGPD and what are the punishments?
Principles of LGPD
Who must comply with the General Data Protection Act?
How to adapt to the LGPD?
What does the LGPD change in light fleet management?
What is the LGPD, Brazil’s General Data Protection Act?
A General Law of Data Protection – Law No. 13.709 -, enacted in 2018, entered into force in August 2020 under the sanction of then President Michel Temer. This law instituted parameters, rights and obligations regarding the processing of personal data in Brazil, that is, information that identifies the citizen, such as registration data, or even location data, such as GPS data.
Before being implemented in Brazil, similar measures were adopted in the world, this because the protection of private data is something that, worldwide, people, governments and companies have been concerned – an example is that of the society of the European Union, which has the General Data Protection Regulation (RGPD), acronym of the term in Portuguese, or GDPR, acronym of the term in English, in force since May 2018.
That is, it is a reflection of a worldwide movement of a legal system that is concerned with establishing guidelines regarding the privacy and security of personal data.
Is the General Data Protection Law already valid?
The term began in September 2020, however, the sanctions provided for in the regulations will only apply from August 2021 — the period necessary for companies and institutions to become aware of and adapt to the new law.
This is because medium and small companies claimed difficulty adapting due to the pandemic, thus applying the legal principle "vacatio legis” (Latin expression meaning vacancy of the law), corresponding to the period between the date of publication of a law and the beginning of its effectiveness.
What is charged in the LGPD and what are the punishments?
As already mentioned, the LGPD seeks to preserve and protect personal data of natural persons, establishing rules for those who use them, from the collection and due exclusion, in order to safeguard fundamental rights such as freedom, privacy and security, to the holders of this data.
Thus, the basis of the provision is the transparency and responsible use of personal information.
As for punishments, in November 2022, the ANPD published Ordinance 35/2022, which establishes the Regulatory Agenda for 2023/2024. Among the points established in this Agenda, we highlight the finalization of the Dosimetry Regulation and Application of Administrative Sanctions, which defines how the administrative sanctions to infractions, in addition to the criteria for calculating the value of fines.
Read more: Crisis management, fleet outsourcing and telemetry
But, contrary to what many end up thinking, some administrative sanctions can have a much greater “weight” for operations than fines, for example. The seriousness and nature of the infringements will be considered, as well as the personal rights that have been affected and the economic conditions of the company.
The penalties range from a warning to the blocking of data processing, in addition to a fine of up to 2% on revenues, excluding taxes, reaching R$ 50 million per infraction.
At first, it is expected that the punishments, applied by the ANPD (National Data Protection Authority), are educational, starting with warnings and requests for adequacy.
Thus, large fines are likely to be targeted at large companies to have a significant impact, or even at repeat offenders who have committed something serious.
Principles of LGPD
Os Principles they are the foundations of a legal norm, that is, they are the foundation for legal reasoning in the establishment of a norm, with the function of guiding the legislator or any other agent about their motives.
That said, the General Law of Data Protection it is based on some principles that help in the interpretation of legislation, emphasizing the importance of processing personal data.
Therefore, the idea that companies are holders of this datanow they just take custody of them.
Check out the 10 principles of Law nº 13.709/2018 present in article 6 of the LGPD:
Goal
Data processing must be carried out for legitimate, specific and explicit purposes. Thus, the purpose of collection, use and storage must be duly informed to the holder of this information.
In addition, this principle also reinforces the impossibility of further treatment in a way that is different from the purposes that have already been informed.
Adequacy
As stated earlier, this principle concerns the compatibility of the treatment with the purposes informed to the holder, depending on the context of the treatment.
Need
There is a limitation of the treatment to a minimum level necessary for the fulfillment of its purposes. That is, the scope of the data must be relevant, proportionate and not excessive in relation to the purposes of handling and processing the data.
Free access
It is necessary to guarantee the free access for data subjects to an easy and free consultation on the form and duration of the processing of personal data. In addition, of course, to ensure the integrity of this information.
data quality
guarantees to holders accuracy, clarity, relevance and up-to-dateness of collected data, according to the purpose and need of each treatment.
Transparency
It concerns the guarantee of clear, accurate and easily accessible information for holders, about carrying out treatment and also about who performs it, observing commercial and industrial secrets.
Safety
Addresses the need to apply technical and administrative measures to protect personal data from unauthorized access and accidental or illegal situations, such as destruction, loss, alteration or dissemination of this information.
Prevention
Refers to the adoption of measures to prevent the occurrence of damage related to the processing of personal data in the company.
Read more: Payroll deduction for damages and breakdowns
non-discrimination
Clearly, it concerns the impossibility of data processing for discriminatory, illegal or abusive purposes.
Responsibility and accountability
It addresses the demonstration of effective measures capable of proving compliance with and compliance with personal data protection standards, and even the success of these measures.
Who must comply with the General Data Protection Act?
The LGPD applies to all business models that carry out the data processing operation in the national territory, and that have as their objective the offer or supply of goods or services or the processing of data of individuals located in the national territory.
That is, both B2C companies — when dealing directly with a customer — or technology companies and startups, which use data in their processing operation.
Read more: 5G: how technology impacts fleet management
In addition, the law also serves B2B companies - which provide services to other companies - and traditional businesses. In the end, personal data refer to information related to an identified or identifiable natural person, such as a simple GPS location, for example.
Lastly, there is no business model in which the LGPD is not currently relevant.
How to adapt to the LGPD?
This process can be carried out in steps and simple.
At first, try to map data in the company to understand the purposes of this data and where it is stored. That is, get to know your own company and how it has handled data so far.
The next step is to adopt a Privacy Policy that is consistent and consistent with the company's reality. It is time to review contracts/documents with users and employees and establish terms of consent and transparent communication channels with the holders of the information.
After that, it is worth seeking a legal professional and professionals specialized in the data area (IT, marketing, etc.), to understand the grounds and legal basis for processing this information. In view of this, a qualified consultancy can, for example, help establish risk points, create mitigation measures and develop tools to comply with the law.
Read more: Reduce risky traffic behavior in your fleet management with the help of technology
please note that this procedure is continuous, and the company must always comply with current regulations and their updates. Therefore, hiring a DPO (Data Protection Officer) — a professional responsible for ensuring data protection in the company — is also an excellent measure.
What does the LGPD change in light fleet management?
Generally speaking, like management of light fleets in companies can perform several services, whether commercial activities such as sales, product deliveries, service deployments (internet, telephone, cable TV, etc.), or just the transportation of your employees, the importance of the LGPD is more closely linked to the service in question.
For example, in light fleet companies that deliver products, the LGPD becomes great importance in the treatment and storage of data such as address and contact information of the customer who will be receiving the delivery, or who made the purchase.
However, all these companies must also treat their drivers' personal data properly, for example, this being the main concern that the light fleet manager must have.
After all, your driver's safety should always come first, whether on or off the road.
For this, also know the video telemetry and see everything this system can do for your light fleet management:
