LGPD: What You Need to Know

Last Modified: June 27, 2022

LGPD is Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), which went into effect in September 2020. Like the European Union’s General Data Protection Regulation (GDPR) and newly enacted US State laws, LGPD is a principle-based regulation, requiring personal data to be processed fairly, lawfully, and transparently for defined purposes only.

Here is some additional information to explain how Neustar meets the LGPD’s requirements:

• We built and continue to deploy streamlined data ingestion, inventory, retention/purge and processing systems and technologies to automate the application of our data privacy commitments, data governance policies, and to facilitate data subject rights such as access, deletion, objection, and opt-out.
• We designated a Data Protection Officer.
• We enhanced our existing privacy and security training to ensure that all LGPD required topics are covered.
• In advance of the effective date of GDPR, we overhauled our existing Privacy Impact Assessments (PIAs), which are designed to serve as Data Protection Impact Analysis (DPIAs) for relevant products and services under appropriate circumstances as required by law. We continue to review and refine this information as laws applicable to Neustar’s data processing activities evolve.
• We review and revise our privacy notices and transparency processes annually and monitor the sufficiency of our processes for receiving and responding to data subject requests for access, correction, erasure, objection, and portability as applicable.
• We ensured that our portal for receiving and processing Data Subject requests, including requests for confirmation of processing, access, correction, objection, and erasure of personal data complies with LGPD requirements.
• We entered into an intra-company agreement based on standard contractual clauses approved by the European Commission to govern the transfer of personal data from Brazil to Neustar entities globally.

1. What personal data does Neustar collect and how is LGPD compliance achieved?

The data Neustar processes varies from product to product (and sometimes from customer to customer) and is set out in great detail in our Privacy Statement, which includes charts summarizing (i) the categories and sources of data we process; (ii) data usage by category; and (iii) the categories of third parties to whom personal data may be disclosed. To ensure compliance with LGPD and other privacy norms, Neustar treats any information that is or reasonably can be linked to an identifiable natural person (a "data subject") as "personal data." This includes obvious personal information such as name, address, telephone number, email address, etc., as well as persistent identifiers such as government issued IDs, IP addresses, cookie IDs, advertising IDs, precise location data, etc. when linked or linkable to identifiable individuals or households. We have implemented administrative, technical, and physical safeguards to maintain consumer privacy by segregating information that directly identifies an individual from machine or pseudonymous identifiers and deploying data access, governance, privacy, and confidentiality policies to maintain appropriate limits.

2. What is the legal basis for Neustar’s processing of personal data about Brazilian data subjects?

As permitted by Article 7 of LGPD, Neustar generally processes data as a controller to fulfill our legitimate interests or those of a third-party consistent with the data subject’s fundamental rights and liberties. In some cases, we may process data with the data subject’s consent or where the information has been made public by the data subject. Neustar also processes personal data as a service provider (processor) according to instructions provided by our controller/customers.

3. What mechanisms does Neustar use to support the transfer of personal data subject to LGPD to the United States and elsewhere?

Chapter V of the LGPD sets forth principles governing the international transfer of personal data. Among other things, the data controller may offer guarantees of compliance with the principles and data subject rights set forth in the LGPD by providing a) specific contractual clauses for a given transfer; b) standard contractual clauses; c) binding corporate rules; or d) regularly issued stamps, certificates and codes of conduct. Until such time as the Brazilian data protection authority issues approved standard contractual clauses, data transferred by Neustar from Brazil is governed by contracts previously approved for similar purposes by the European Commission.

4. How does Neustar comply with the LGPD principles?

Neustar adopted Privacy by Design principles in 2012 and has always complied with Fair Information Practice Principles (FIPPs). Neustar’s Privacy Principles are available on our website and are consistent with the principles set out in LGPD. To ensure compliance with LGPD and other data protection requirements, we routinely review and update our Privacy Impact Assessments (PIAs), which serve as Data Protection Impact Assessments (DPIAs) when required by applicable law. Our personal data processing practices are described in detail in our online privacy statement here.

5. How will Neustar comply with other controller/processor obligations?

As previously indicated, Neustar adopted "Privacy by Design" principles in 2012, and since that time has implemented appropriate technical and organizational measure designed to implement data protection principles by default. As a matter of standard practice, we prepare privacy impact assessments for products/services involving personal data processing. Consistent with the requirements of the LGPD, Neustar’s PIA templates serve as DPIAs where the nature, scope, context and purposes of personal data process is likely to result in a high risk to compliance with the to the LGPD’s general principles.

Processors in the United States have long been subject to data breach notification obligations, both to data subjects and to regulators, so we are familiar with these processes. Neustar continuously reviews and updates our privacy and security policies to reflect the highest standards. We are accountable for processing undertaken as a data controller, and as a processor we limit our activities via contract to processing undertaken at the direction and on behalf of the data processor. Neustar’s data governance architecture is designed to streamline and automate compliance with applicable law, including LGPD.

6. How will Neustar ensure compliance with a data subject rights under LGPD such as transparency/access/confirmation; deletion/erasure/anonymization; portability; revocation of consent; etc.?

Subject to the limitations contained in applicable data protection laws, including LGPD, Neustar honors all relevant data subject rights. Neustar does not use or permit the use of its services for automated individual decision-making that produces legal effects or otherwise significantly affects a data subject.

Our existing online request portal is designed to handle all data subject requests to exercise LGPD-established rights. Neustar will also honor requests submitted via email to privacy@team.neustar.

7. How will Neustar ensure that it discloses information to the right person?

While certain opt-outs and subject access requests can be automated, it is extremely important to avoid release of personal data about one person to another. Accordingly, Neustar requires sufficient information about the individual's identity in order to ensure that the person making the request is the individual to whom the data relates (or someone authorized by the data subject to make that request). The amount of information needed depends on the nature of the data requested and the means through which it is submitted. For example, if the requestor provides a Cookie ID or places the request electronically, it may be possible to confirm that the Cookies match without requesting additional information. In other cases, we may require reasonable evidence of identity and/or presence in Brazil.

8. Who is Neustar’s Data Protection Officer?

J. Beckwith Burr of HARRIS, WILTSHIRE & GRANNIS LLP has been appointed Neustar’s Data Protection Officer.

9. Other questions:

For more information, please see Neustar’s Privacy Statement. If you have unanswered questions, feel free to contact us via email sent to: privacy@team.neustar