Last Modified: August 16, 2021
LGPD is Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), which went into effect in September 2020. Like the European Union’s General Data Protection Regulation (GDPR) and newly enacted US State laws, LGPD is a principle-based regulation, requiring personal data to be processed fairly, lawfully, and transparently for defined purposes only.
Here is some additional information to explain how Neustar meets the LGPD’s requirements:
The data Neustar processes varies from product to product (and sometimes from customer to customer) and is set out in great detail in our Privacy Statement, which includes charts summarizing (i) the categories and sources of data we process; (ii) data usage by category; and (iii) the categories of third parties to whom personal data may be disclosed. To ensure compliance with LGPD and other privacy norms, Neustar treats any information that is or reasonably can be linked to an identifiable natural person (a "data subject") as "personal data." This includes obvious personal information such as name, address, telephone number, email address, etc., as well as persistent identifiers such as government issued IDs, IP addresses, cookie IDs, advertising IDs, precise location data, etc. when linked or linkable to identifiable individuals or households. We have implemented administrative, technical, and physical safeguards to maintain consumer privacy by segregating information that directly identifies an individual from machine or pseudonymous identifiers and deploying data access, governance, privacy, and confidentiality policies to maintain appropriate limits.
As permitted by Article 7 of LGPD, Neustar generally processes data as a controller to fulfill our legitimate interests or those of a third-party consistent with the data subject’s fundamental rights and liberties. In some cases, we may process data with the data subject’s consent or where the information has been made public by the data subject. Neustar also processes personal data as a service provider (processor) according to instructions provided by our controller/customers.
Chapter V of the LGPD sets forth principles governing the international transfer of personal data. Among other things, the data controller may offer guarantees of compliance with the principles and data subject rights set forth in the LGPD by providing a) specific contractual clauses for a given transfer; b) standard contractual clauses; c) binding corporate rules; or d) regularly issued stamps, certificates and codes of conduct. Until such time as the Brazilian data protection authority issues approved standard contractual clauses, data transferred by Neustar from Brazil is governed by contracts previously approved for similar purposes by the European Commission.
Neustar adopted Privacy by Design principles in 2012 and has always complied with Fair Information Practice Principles (FIPPs). Neustar’s Privacy Principles are available on our website and are consistent with the principles set out in LGPD. To ensure compliance with LGPD and other data protection requirements, we routinely review and update our Privacy Impact Assessments (PIAs), which serve as Data Protection Impact Assessments (DPIAs) when required by applicable law. Our personal data processing practices are described in detail in our online privacy statement here.
As previously indicated, Neustar adopted "Privacy by Design" principles in 2012, and since that time has implemented appropriate technical and organizational measure designed to implement data protection principles by default. As a matter of standard practice, we prepare privacy impact assessments for products/services involving personal data processing. Consistent with the requirements of the LGPD, Neustar’s PIA templates serve as DPIAs where the nature, scope, context and purposes of personal data process is likely to result in a high risk to compliance with the to the LGPD’s general principles.
Processors in the United States have long been subject to data breach notification obligations, both to data subjects and to regulators, so we are familiar with these processes. Neustar continuously reviews and updates our privacy and security policies to reflect the highest standards. We are accountable for processing undertaken as a data controller, and as a processor we limit our activities via contract to processing undertaken at the direction and on behalf of the data processor. Neustar’s data governance architecture is designed to streamline and automate compliance with applicable law, including LGPD.
Subject to the limitations contained in applicable data protection laws, including LGPD, Neustar honors all relevant data subject rights. Neustar does not use or permit the use of its services for automated individual decision-making that produces legal effects or otherwise significantly affects a data subject.
Our existing online request portal is designed to handle all data subject requests to exercise LGPD-established rights. Neustar will also honor requests submitted via email to email@example.com.
While certain opt-outs and subject access requests can be automated, it is extremely important to avoid release of personal data about one person to another. Accordingly, Neustar requires sufficient information about the individual's identity in order to ensure that the person making the request is the individual to whom the data relates (or someone authorized by the data subject to make that request). The amount of information needed depends on the nature of the data requested and the means through which it is submitted. For example, if the requestor provides a Cookie ID or places the request electronically, it may be possible to confirm that the Cookies match without requesting additional information. In other cases, we may require reasonable evidence of identity and/or presence in Brazil.
Kevin Hughes, Executive Vice President and General Counsel, has been appointed Neustar's Data Protection Officer.
For more information, please see Neustar’s Privacy Statement. If you have unanswered questions, feel free to contact us via email sent to: firstname.lastname@example.org