Vamospago has developed this payment service (the"Service") to make it easy for merchants to accept a large range of preferred local payment methods in many countries. By using the Service, you agree to our terms of use as set out below.
Vamospago has developed this payment service (the "Service") to make it easy for merchants to accept a large range of preferred local payment methods in many countries. BUT YOU ACKNOWLEDGE that if you use the service within the area of Bahrain, your use of the Service is governed by this: Term of Service - Bahrain , which incorporates this Terms of Use by reference, and if there is a conflict between this Terms of Service and the Term of Service of Bahrain, the “Term of Service of Bahrain” controls. By using the Service, you agree to our terms of use as set out below.
We provide the Vamospago API and other software to enable you to use the Service. We reserve the right to require you install or update any and all software updates to continue using the Service. Our Service also includes software to help you manage recurring and subscription billing charges for your products and services. It is your responsibility to obtain your customers' consent to be billed on a recurring basis in compliance with applicable legal requirements and Card Network payment rules.
By accepting this agreement, you authorize us to hold, receive, and disburse funds on your behalf when such funds from your payment transactions settle from the payment partners. You also authorize Vamospago to hold settlement funds in a deposit account pending disbursement of the funds to you in accordance with the terms of this contract. You agree that you are not entitled to any interest or other compensation associated with the settlement funds held in the deposit account pending settlement to your designated deposit account, that you have no right to direct that deposit account, and that you may not assign any interest in the deposit account. We will display the anticipated settlement in the admin dashboard that we have or are set to receive on your behalf. This settlement information does not constitute a deposit or other obligation of Vamospago to you. This settlement information reflected in the Vamospago management dashboard is for reporting and informational purposes only, and you are not entitled to, and have no ownership or other rights in settlement funds, until such funds are credited to your designated deposit account. Your authorizations set forth herein will remain in full force and effect until your Vamospago account is closed or terminated.
We provide a global payment solution through a large range of payment methods, such as ewallets, direct debit, bank transfers, cash payment, prepaid cards.
It is your responsibility to determine what, if any, taxes apply to the sale of your goods and services and/or the payments you receive in connection with your use of the Service ("Taxes"). It is solely your responsibility to assess, collect, report, or remit the correct tax to the proper tax authority. We are not obligated to, nor will we determine whether Taxes apply, or calculate, collect, report, or remit any Taxes to any tax authority arising from any transaction. You acknowledge that we may make certain reports to tax authorities regarding transactions that we process and merchants to which we provide card payment services.
You are fully responsible for the security of data on your website or otherwise in your possession. You agree to comply with all applicable governmental laws and rules in connection with your collection, security and dissemination of any personal, financial, payment, or transaction information (defined as "Data") on your website. You are also responsible for your login credentials to the Vamospago management dashboard. Vamospago will provide its best efforts in order to keep your account secure from fraudulent logins.
Vamospago is responsible for protecting the security of Data in our possession and will maintain commercially reasonable administrative, technical, and physical procedures to protect all the personal information regarding you and your customers that is stored in our servers from unauthorized access and accidental loss or modification. However, we cannot guarantee that unauthorized third parties will never be able to defeat those measures or use such personal information for improper purposes. You acknowledge that you provide this personal information regarding you and your customers at your own risk. We recommend you review our Privacy Policy, which will help you understand how we collect, use and safeguard the information you provide to us.
If we believe that a security breach or compromise of data has occurred, Vamospago may require you to have a third party auditor that is approved by Vamospago conduct a security audit of your systems and facilities and issue a report to be provided to Vamospago, financial banks, and our payment systems.
Your privacy and the protection of your data are very important to us. You acknowledge that you have received, read in full and agree with the terms of our Privacy Policy linked to and incorporated into this Agreement by reference, which contains your consent to our collection, use, retention and disclosure of personal information as well as other matters set forth therein and which explains how and for what purposes we collect, use, retain, disclose and safeguard the information you provide to us. You also acknowledge that we or our payment partners may be required to report your business name and the name of your principals to the government authorities if it is determined by a legal court order. Information you choose to upload may be used to payment system partners only to provide you with more payment options. Vamospago will never sell any of you or your user data to a third party for marketing purposes.
You represent to Vamospago that you are in compliance with all applicable privacy laws, you have obtained all necessary rights and consents under applicable law to disclose to Vamospago, or Vamospago to collect, use, retain and disclose any User Data that you provide to us or authorize us to collect. As between you and Vamospago, you are solely responsible for disclosing to your customers that Vamospago is providing payment services for you and obtaining Data from you about such customers.
You are required to obey all laws, rules, and regulations applicable to your use of the Service (for example, those governing financial services, consumer protections, unfair competition, anti-discrimination or false advertising). In addition to any other requirements or restrictions set forth in this Agreement, you shall not: (i) utilize the payment options as a way to advance money to users via payment methods, (ii) submit any payment transactions for processing that did not arise from your sale of goods or service to a buyer customer, or acceptance of a bona fide charitable donation, (iii) act as a payment intermediary or aggregator or otherwise resell our services on behalf of any third party, (iv) send what you believe to be potentially fraudulent authorizations or fraudulent payment transaction, or (v) use Vamospago in a manner that our payment partners believe you are abusing Vamospago's services and violate the applicable rules. You further agree not to, nor to permit any third party to, do any of the following: (i) access or attempt to access Vamospago systems, programs or data that are not made available for public use; (ii) copy, reproduce, republish, upload, post, transmit, resell or distribute in any way material from Vamospago; (iii) permit any third party to use and benefit from the Service via a rental, lease, timesharing, service bureau or other arrangement; (iv) transfer any rights granted to you under this Agreement; (v) work around any of the technical limitations of the Service, use any tool to enable features or functionalities that are otherwise disabled in the Service, or decompile, disassemble or otherwise reverse engineer the Service, except to the extent that such restriction is expressly prohibited by law; (vi) perform or attempt to perform any actions that would interfere with the proper working of the Service, prevent access to or use of the Service by our other users, or impose an unreasonable or disproportionately large load on our infrastructure; or (vii) otherwise use the Service except as expressly allowed under this section.
We reserve the right to not authorize or settle any transaction you submit which we believe is in violation of this Agreement, any other Vamospago agreement, or exposes you, other Vamospago users, our processors or Vamospago to harm, including but not limited to fraud and other criminal acts. You are hereby granting us authorization to share information with law enforcement about you, your transactions, or your Vamospago Service Account if they request it through a court order or if it is deemed illegal by Hong Kong government.
You agree that Vamospago can provide disclosures and notices regarding the Service to you by posting such disclosures and notices on our website, emailing them to the email address listed in your Vamospago account, or mailing them to the address listed in your Vamospago Merchant Account. You also agree that electronic disclosures and notices have the same meaning and effect as if we had provided you with a paper copy. Such disclosures and notices shall be considered to be received by you within 24 hours of the time it is posted to our website or emailed to you unless we receive notice that the email was not delivered.
If you receive information about others, including Cardholders, through the use of the Service, you must keep such information confidential and only use it in connection with the Service. You may not disclose or distribute any such information to a third party or use any such information for marketing purposes unless you receive the express consent of the user to do so. You may not disclose payment information to any third party, other than in connection with processing a payment for your users under this Service.
You agree that, from the time you begin processing payment with Vamospago until you terminate your account with us, we may identify you as a customer of Vamospago. Neither you nor we will imply any untrue sponsorship, endorsement or affiliation between you and Vamospago.
The information contained in this website is for general information purposes only. The information is provided by Vamospago and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.
Through this website you are able to link to other websites which are not under the control of Vamospago. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, Vamospago takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.
This policy covers how Vamospago ("us," "we") protects and uses the collected information about the user. Vamospago protects the privacy of all users who visit or use the Vamospago Service (collectively or individually, "you" or "Users").
The purpose of the Privacy Policy informs you about the information we collect, share and protect when you visit or use the Vamospago Service. By using the Vamospago Service you are agreeing to this Privacy Policy. This Privacy Policy applies to all personally identifiable information collected on the Web site where this Privacy Policy is posted.
Please note if the user is under the age of 18, the user must get consent of a parent or legal guardian to access the Vamospago Service. Accordingly, Vamospago does not knowingly collect or maintain personally identifiable information from persons under the age of 18 years. If Vamospago learns that personally identifiable information of those under the age of 18 years has been collected on our website or through our Vamospago Service, then Vamospago will take the appropriate action to delete the information. Notwithstanding any provision above, if the specific local regulations has different requirements on the minimum age to use the services based on the data protection law is under 18 years old, the applicable territory’s regulation (including the applicable age) shall prevail.
We will gather personal information about you under the following circumstances:
(I) When you open a Vamospago account, we will collect the contact information including - your name, address, phone number, email, date of birth, and other similar information. This information can be reviewed and edited at any time by logging into your account.
(II) When you access our website or visit a web page that is using our service: Our service gathers information automatically transmitted from the device(s) you use to access our website or the sites integrating our service, such as your IP address, unique device identifier, browser information, and system (e.g., operating system) information. This information, alone or combined with other information, may allow you to be identified.
(III) When you complete a transaction using our service: During the course of a transaction, you may need to enter certain information about yourself. This information may include your full name, address, date of birth, and details about the payment method you are using.
(IV) When it is provided to us by third party sources in connection with your use of our service: Our merchants may send to us any information you have provided them, including your personal details (e.g., name, contact information) and details regarding your past and current purchases and activity on their site. Additionally, we may receive information about you from the provider of the payment method you use on our service to the extent such information is necessary to process your transaction, or if it later becomes necessary during an investigation into fraudulent or otherwise suspicious transactions.
(V) When you communicate with us: You may need to provide additional information about yourself and your transaction in communication. Additionally, we may contact you to request proof of personal identity, such as a picture of a legal identification document, in order to ensure your transaction is valid or to the extent it otherwise may be necessary to comply with our legal obligations as a financial institution.
We only use your data for the following reasons:
(I) To offer the Vamospago service: We will use your personal information as necessary to provide the Vamospago service, including to the extent necessary to process the transaction you initiated, verify your identity, authenticate your access of a Vamospago account, and communicate with you about the service.
(II) To manage risk and protect you, the site and the Vamospago service: Fraud prevention is a critical part of providing payment services, and we use your information to help us detect and prevent fraud.
(III) To comply with our legal obligations, including all applicable anti-money laundering laws, anti-terrorist financing laws, financial services regulations, and our contractual obligations to the third party partners who provide or help to provide any payment method you use on our service.
(IV) For our other legitimate business needs: We may need to use your personal information in order to enforce our contracts and terms of service and monitor activity on the site.
Your data may be disclosed to third parties in any or all of the following circumstances. Because your privacy is important to us, we have taken measures to ensure that all of the entities we share your information with have implemented strong data privacy and data protection practices of a level comparable to that which we employ.
(I) When our payment partners need it to process a transaction you initiated: We have contracts with banks and other third-party financial institutions for every payment method we offer on our service. When you authorize a transaction, we will transmit to the relevant third party any information they require to process this transaction. What information is required will vary by payment type, but may include your name, address, and details of the purchase you are attempting to make.
(II) When our merchants need it to process a transaction you initiated: Where necessary, we will share certain information about you with our third party merchants to help facilitate the transactions. This data will never include your sensitive payment details (such as credit card number).
(III)When other third parties that provide us with services related to the Vamospago service require it in order to provide the services, such as our server hosting providers and independent auditors we engage for the purposes of analyzing our compliance with the law or relevant independent standards.
(IV) To the extent required by law: We will share your information with third parties to the extent we are required to do so by law. For example, we are required by law to undergo certain routine audits, which may require us to share your information with the third party auditors we have engaged in relation to these requirements. Additionally, we may have to disclose your information when we receive a valid subpoena or other law enforcement request, or when the law requires us to affirmatively notify law enforcement in order to prevent harm or illegal activity. The necessity of all such disclosures will be determined in our sole discretion. For more information on our procedures related to legal requests, please review our law enforcement policy.
(V) To the extent our legitimate business interests require us to do so, for example by transmitting it to our third party partners for inclusion on their blacklists or lists of terminated merchants, to help us engage in our fraud reduction efforts, to support our corporate governance activities or facilitate the sale or other transfer of all or part of our business, or to protect us or our service.
Vamospago's goal is to provide you with a safe and convenient online checkout experience. We always protect the security of your information by using Secure Sockets Layer (SSL) technology for each transmission that encrypts the information you input. All purchases made via a credit card or alternative direct payment must use an SSL-enabled browser. Using SSL-enabled browsers better protect the confidentiality of your personal and credit card information while it is being transmitted over the Internet. When you enter sensitive information (such as e-wallet account details, mobile number, credit card number or your password) and place an order online, we encrypt that information using Secure Socket Layer (SSL) technology which is the approved industry standard.
Users can check the security of their internet connection by looking at address bar of your browser window as you place your order online. If you see an unbroken key or a closed lock, then the SSL is active and the server is secure. You can also double-check by looking at the URL line of your browser. When accessing a secure server, the first characters of the site address will change from "http" to "https". For credit card transactions, we will securely transmit the entire credit card number to be processed by the credit card company. We will only reveal the last 4 digits of your credit card number when printing an order confirmation. For security purposes we do not keep or store your credit card information as it is only used to complete the secure transaction. Your credit card number and other sensitive information will not be stored after the transaction is complete to help protect your credit card information. To further protect against unauthorized access to your account and to your computer, be sure to sign off when finished.
You have the right to:
(I) Request that we change any personal information that pertains to you.
(II) Request that we delete any personal information that pertains to you.
To request a change to your personal information, or deletion of your personal information, contact us.
Vamospago does not and will not, at any time, request your full credit card information, your account ID and password or national identification numbers in a non-secure or unsolicited email or through telephone communication. Please never disclose your passwords for any reason.
Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology
You can manually set your browser to notify you when you receive a cookie. This enables you to decide if you want to accept it or not. Alternatively, you can choose to turn off all cookies via your browser settings. However, some of the services and features offered through our Website may not function properly if your cookies are disabled.
Cookies can be first party or third-party cookies.
First party cookies - cookies that the website you are visiting stores on your computer.
Third party cookies - cookies stored on your computer through the website but by third parties, such as, Google.
We use the following cookies on our Website:
Strictly necessary/session cookies
These cookies are essential in enabling you to move around our website and use its features. Without these cookies, services you have asked for cannot be provided. They are deleted when you close the browser. These are first party cookies.
Performance cookies
These cookies collect anonymous data about how visitors use our website. They allow us to recognize and count the number of visitors and to see how visitors move around our website when they are using it and the approximate regions that they are visiting from. These are first party cookies.
Functionality cookies
These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customize. The information these cookies collect may be anonymized and they cannot track your browsing activity on other websites. These are first party cookies.
Analytics, advertising and Social Media cookies
The use of cookies allows us and our advertisers to deliver information more relevant to you and your interests and they may also connect you with social media networks. These are persistent cookies which will be kept on your device until their expiration or earlier manual deletion.
Cookie consent and opting out
When you arrive on our website a pop-up message will appear notifying you that our website uses cookies. By using our website, you are consenting to our use of cookies. If you, or another user of your device, wishes to withdraw your consent at any time, you can do so by altering your browser settings, otherwise we will assume that you are happy to receive cookies from our website.
If you have any questions about this Privacy Policy, please contact us.
We may change the Privacy Policy from time to time. We will inform you by posting the revised Privacy Policy on the Website. Please check our Privacy Policy periodically for changes. We will post the date the Privacy Policy was last updated at the bottom of the Privacy Policy. The changes will go into effect on the "Last Updated" date shown in the revised Privacy Policy. By continuing to use the Website, you consent to the revised Privacy Policy.
Last updated: October 10, 2020
Brazilian Data Protection Law (LGPD)
(As amended by Law No. 13,853/2019)
The NATIONAL CONGRESS decrees:
Art. 1 This Law provides for the processing of personal data, including by digital means, by a natural person or a legal entity of either public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
Sole paragraph. The general provisions of this Law are of national interest and must be observed by the Federal Union, States, Federal District and Municipalities. (by Law No. 13,853/2019)
Art. 2 The discipline of personal data protection is grounded on the following:
I – respect for privacy;
II – informational self-determination;
III – freedom of expression, information, communication and opinion;
IV – inviolability of intimacy, honor and image;
V – economic and technological development and innovation;
VI – free enterprise, free competition and consumer defense;
VII – human rights, free development of personality, dignity and exercise of citizenship by natural persons.
Art. 3 This Law applies to any processing operation carried out by a natural person or a legal entity of either public or private law, irrespective of the means, the country in which its headquarter is located or the country where the data are located, provided that:
II – the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; or (New Wording Given by Law No. 13,853/2019)
III – the personal data being processed were collected in the national territory.
Art. 4 This Law does not apply to the processing of personal data that:
I – is done by a natural person exclusively for private and non-economic purposes;
II – is done exclusively:
III – is done exclusively for purposes of:
IV– have their origin outside the national territory and are not the object of communication, shared use of data with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, since the country of origin provides a level of personal data protection adequate to that established in this Law.
Art. 5 For purposes of this Law, the following definitions apply:
I – personal data: information regarding an identified or identifiable natural person;
II – sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person;
III – anonymized data: data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing;
IV – database: a structured set of personal data, kept in one or several locations, in electronic or physical support;
V – data subject: a natural person to whom the personal data that are the object of processing refer to;
VI – controller: natural person or legal entity of either public or private law in charge of making the decisions regarding the processing of personal data;
VII – processor: natural person or legal entity of either public or private law that processes personal data in the name of the controller;
VIII - data protection officer: person named by the controller and processor to act as a channel of communication between the controller, the subjects of such data and the National Data Protection Authority (ANPD); (New Wording Given by Law No. 13,853/2019)
IX – processing agents: the controller and the processor;
X – processing: any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction;
XI – anonymization: use of reasonable and available technical means at the time of the processing, through which data loss the possibility of direct or indirect association with an individual;
XII – consent: free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose;
XIII – blocking: temporary suspension of any processing operation, by means of retention of the personal data or the database;
XIV – deletion: exclusion of data or a set of data stored in a database, irrespective of the procedure used;
XV – international data transfer: transfer of personal data to a foreign country or to an international entity of which the country is a member;
XVI – shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared processing of banks of personal data by public agencies and entities, in compliance with their legal capabilities, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or among private entities;
XVII – data protection impact assessment: documentation from the controller that contains the description concerning the proceedings of the personal data processing that could pose risks to civil liberties and fundamental rights, as well as measures, safeguards and mechanisms to mitigate said risk;
XVIII - research body: body or entity from the direct or indirect public administration or nonprofit legal entity of private law, legally organized under the Brazilian law, with headquarters and jurisdiction in the Country. This body or entity includes in its institutional mission, in its corporate or statutory purposes basic or applied research of historical, scientific, technological or statistical nature; and (New Wording Given by Law No. 13,853/2019)
XIX - national authority: body of the public administration responsible for supervising, implementing and monitoring the compliance with this Law in all national territory.” (New Wording Given by Law No. 13,853/2019).
Art. 6 Activities of processing of personal data shall be done in good faith and be subject to the following principles:
I – purpose: processing done for legitimate, specific and explicit purposes of which the data subject is informed, with no possibility of subsequent processing that is incompatible with these purposes;
II – adequacy: compatibility of the processing with the purposes communicated to the data subject, in accordance with the context of the processing;
III - necessity: limitation of the processing to the minimum necessary to achieve its purposes, covering data that are relevant, proportional and non-excessive in relation to the purposes of the data processing;
IV – free access: guarantee to the data subjects of facilitated and free of charge consultation about the form and duration of the processing, as well as about the integrity of their personal data;
V – quality of the data: guarantee to the data subjects of the accuracy, clarity, relevancy and updating of the data, in accordance with the need and for achieving the purpose of the processing;
VI – transparency: guarantee to the data subjects of clear, precise and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy
VII – security: use of technical and administrative measures which are able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;
VIII – prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data;
IX – nondiscrimination: impossibility of carrying out the processing for unlawful or abusive discriminatory purposes; and
X – accountability: demonstration, by the data processing agent, of the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures.
Section I
Requirements for the Processing of Personal Data
Art. 7 Processing of personal data shall only be carried out under the following circumstances:
I – with the consent of the data subject;
II – for compliance with a legal or regulatory obligation by the controller;
III – by the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments, subject to the provisions of Chapter IV of this Law;
IV – for carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data;
V – when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
VI – for the regular exercise of rights in judicial, administrative or arbitration procedures, the last pursuant to Law No. 9,307, of September 23, 1996 (the “Brazilian Arbitration Law”);
VII – for the protection of life or physical safety of the data subject or a third party;
VIII – to protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities; (New Wording Given by Law No. 13,853/2019)
IX – when necessary to fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail; or
X – for the protection of credit, including as provided in specific legislation.
Art. 8 The consent provided in item I of Art. 7 of this Law shall be given in writing or by other means able to demonstrate the manifestation of the will of the data subject.
Art. 9 The data subject has the right to facilitated access to information concerning the processing of her/his data, which much be made available in a clear, adequate and ostensible manner, concerning, among other characteristics provided in regulation for complying with the principle of free access:
I – the specific purpose of the processing;
II – the type and duration of the processing, being observed commercial and industrial secrecy;
III – identification of the controller;
IV – the controller’s contact information;
V – information regarding the shared use of data by the controller and the purpose;
VI – responsibilities of the agents that will carry out the processing; and
VII – the data subject’s rights, with explicit mention of the rights provided in Art. 18 of this Law.
Art. 10. Controller’s legitimate interest can only be grounds for processing personal data for legitimate purposes, based on particular situations, which include but are not limited to:
I – support and promotion of the controller’s activity; and
II – protection of data subject’s regular exercise of her/his rights or provision of services that benefit her/him, subject to her/his legitimate expectations and fundamental rights and freedoms, in accordance with this Law.
Section II
Processing of Sensitive Personal Data
Art. 11. The processing of sensitive personal data shall only occur in the following situations:
I – when the data subject or her/his legal representative specifically and distinctly consents, for the specific purposes;
II – without consent from the data subject, in the situations when it is indispensable for:
I - data portability of data when requested by the data subject; or
II - the financial and administrative transactions resulted from the use and provision of the services referred to in this paragraph.
Art. 12. Anonymized data shall not be considered personal data, for purposes of this Law, except when the process of anonymization to which the data were submitted has been reversed, using exclusively its own efforts, or when it can be reversed applying reasonable efforts.
Art. 13. When carrying out public health studies, research entities may have access to personal databases, which shall be processed exclusively within the entity and strictly for the purpose of carrying out studies and research. Those databases shall be kept in a controlled and secure environment, in accordance with security practices provided in specific regulation and this includes, whenever possible, anonymization or pseudonymization of the data, as well as taking into account the proper ethical standards related to studies and research.
Section III
Processing of Children and Adolescents’ Personal Data
Art. 14. The processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to this article and specific legislation.
Section IV
Termination of Data Processing
Art. 15. The processing of personal data shall be terminated under the following circumstances:
I – verification that the purpose has been achieved or that the data are no longer necessary or pertinent to achieve the specific purpose intended;
II – end of the processing period;
III – communication by the data subject, including when exercising her/his right to revoke consent, as provided in §5 of Art. 8 of this Law, subject to the public interest; or
IV – determination by the national authority when there has been a violation of the provisions of this Law.
Art. 16. Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but their storage is authorized for the following purposes:
I – compliance with a legal or regulatory obligation by the controller;
II – study by a research entity, ensuring, whenever possible, the anonymization of the personal data;
III – transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or
IV – exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized.
Art. 17. Every natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed, under the terms of this Law.
Art. 18. The data subject , regarding the data subject’s data being processed by the controller, at any time and by means of request, has the right to obtain the following from the controller:
I – confirmation of the existence of the processing;
II – access to the data;
III – correction of incomplete, inaccurate or out-of-date data;
IV – anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this Law;
V – portability of the data to another service provider or product provider, by the means of an express request, pursuant with the regulations of the national authority, and subject to commercial and industrial secrets; (New Wording Given by Law No. 13,853/2019)
VI – deletion of personal data processed with the consent of the data subject, except in the situations provided in Art. 16 of this Law;
VII – information about public and private entities with which the controller has shared data;
VIII – information about the possibility of denying consent and the consequences of such denial;
IX – revocation of consent as provided in §5 of Art. 8 of this Law.
I – communicate that she/he is not the data processing agent and indicate, whenever possible, who the agent is; or
II – indicate the reasons of fact or of law that prevent the immediate adoption of the measure.
Art. 19. Confirmation of the existence of or access to personal data shall be provided by means of request by the data subject:
I – in a simplified format, immediately; or
II – by means of a clear and complete declaration that indicates the origin of the data, the nonexistence of registration, the criteria used and the purpose of the processing, subject to commercial and industrial secrecy, provided within a period of fifteen (15) days as from the date of the data subject’s request.
I – by electronic means that is safe and suitable for this purpose; or
II – in printed form.
Art. 20. The data subject has the right to request for the review of decisions made solely based on automated processing of personal data affecting her/his interests, including decisions intended to define her/his personal, professional, consumer and credit profile, or aspects of her/his personality. (New Wording Given by Law No. 13,853/2019)
Art. 21. Personal data concerning the regular exercise of rights by the data subject cannot be used to her/his detriment.
Art. 22. The defense of the interests and rights of data subjects may be carried out in court, individually or collectively, as provided in pertinent legislation regarding the instruments of individual and collective protection.
Section I
Rules
Art. 23. Processing of personal data by legal entities of public law referred to in sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), shall be done in fulfillment of its public purpose, in benefit of the public interest, for the purpose of performing legal capabilities or discharging legal attributions of the public service, provided that:
I – they communicate the situations in which, in the exercise of their regulatory capacities, they carry out the processing of personal data, supplying clear and up-to-date information about the legal base, purpose, procedures and practices used to carry out these activities in an easily accessible media, preferably on their websites;
II – (vetoed); and
III – a data protection officer is appointed when carrying out personal data processing operations, in accordance with Art. 39 of this Law; and (New Wording Given by Law No. 13,853/2019)
IV – (vetoed). (Included by Law No. 13,853/2019)
Art. 24. Public companies and mixed-capital companies that operate in the competing market, subject to the provisions of Art. 173 of the Federal Constitution, shall receive the same treatment given to private legal entities of private law, under the terms of this Law.
Sole paragraph. Public and mixed-capital companies, when they are carrying out public policies and within the scope of their execution, shall receive the same treatment given to the bodies and entities of the public authorities, under the terms of this Chapter.
Art. 25. Data shall be kept in an interoperable format and structured for shared use intended for the execution of public policies, provision of public services, decentralization of public activity, dissemination and access to information by the general public.
Art. 26. The shared use of personal data by public authorities shall fulfill the specific purposes of execution of public policies and legal attributions by agencies and public entities, subject to the principles of personal data protection listed in Art. 6 of this Law.
I – in cases of decentralized execution of public activity that requires transfer, exclusively for this specific and distinct purpose, subject to the provisions of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”);
II – (vetoed);
III – in cases in which the data are publicly accessible, subject to the provisions of this Law.
IV – when there is a legal provision or the transfer is grounded on contracts, agreements or similar instruments; or (Included by Law No. 13,853/2019)
V – in the event that the transfer of data is exclusively intended to prevent fraud and irregularities, or to protect and safeguard the data subject’s security and integrity, provided that processing is forbidden to be carried out for other purposes.” (Included by Law No. 13,853/2019)
Art. 27. Communication or shared use of personal data from a legal entity of public law to a legal entity of private law shall be communicated to the national authority and shall rely on the consent of the data subject, except:
I – in situations in which consent is waived as provided in this Law;
II – when there is shared use of data, which will be given publicity pursuant to item I of the lead sentence of Art. 23 of this Law; or
III – in the exceptions contained in §1 of Art. 26 of this Law.
Sole paragraph. The information to be given to the national authority referred to in this article shall be subject to regulation.” (Included by Law No. 13,853/2019)
Art. 28. (vetoed)
Art. 29. The national authority may request, at any time, for bodies and entities of the Public Administration to carry out personal data processing operations, the specific information on the scope and nature of the data and other details of the processing performed and may issue complementary technical report to ensure compliance with this Law.” (New Wording Given by Law No. 13,853/2019)
Art. 30. The national authority may establish complementary rules for communication or shared used of personal data activities.
Section II
Accountability
Art. 31. When there is an infringement of this Law as a result of personal data processing by public agencies, the national authority may issue a statement with applicable measures to stop the violation.
Art. 32. The national authority may request agents of the public authorities to publish impact reports on protection of personal data and may suggest the adoption of standards and good practices for processing personal data by the public authorities.
Art. 33. International transfer of personal data is only allowed in the following cases:
I - to countries or international organizations that provide a level of protection of personal data that is adequate to the provisions of this Law;
II – when the controller offers and proves guarantees of compliance with the principles and the rights of the data subject and the regime of data protection provided in this Law, in the form of:
III – when the transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;
IV – when the transfer is necessary to protect the life or physical safety of the data subject or of a third party;
V– when the national authority authorizes the transfer;
VI – when the transfer results in a commitment undertaken through international cooperation;
VII – when the transfer is necessary for the execution of a public policy or legal attribution of public service, which shall be publicized pursuant to item I of the lead sentence of Art. 23 of this Law;
VIII – when the data subject has given her/his specific and highlighted consent for the transfer, with prior information about the international nature of the operation, with this being clearly distinct from other purposes; or
IX – when it is necessary to satisfy the situations provided in
items II, V and VI
of Art. 7 of this Law.
Sole paragraph. For purposes of item I of this article, the legal entities of public law referred to in the sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), within their legal capabilities, and those parties accountable, within the scope of their activities, may request the national authority to evaluate the level of protection of personal data provided by a country or international organization.
Art. 34. The level of data protection in the foreign country or international organization referred to in item I of the lead sentence of Art. 33 of this Law shall be evaluated by the national authority, which shall take into consideration:
I – the general and sectorial rules of legislation in force in the receiving country or international organization;
II – the nature of the data;
III – the compliance with the general principles of personal data protection and data subjects’ rights as provided in this Law;
IV – the adoption of security measures as provided in regulation;
V – the existence of judicial and institutional guarantees for respecting the rights concerning personal data protection; and
VI – other specific circumstances relating to the transfer.
Art. 35. The definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for a particular transfer, binding corporate rules or stamps, certificates and codes of conduct, referred to in item II of the lead sentence of Art. 33 of this Law, will be done by the national authority.
Art. 36. Changes to guarantees presented as sufficient for compliance with the general principles of protection and of the data subject’s rights referred to in item II of Art. 33 of this Law shall be communicated to the national authority.
Section I
Controller and Processor
Art. 37. The controller and the processor shall keep records of personal data processing operations carried out by them, especially when based on legitimate interest.
Art. 38. The national authority may determine that the controller must prepare a data protection impact assessment, which shall include personal data, sensitive data, and refer to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy.
Sole paragraph. Subject to the provisions of the lead sentence of this article, the report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.
Art. 39. The processor shall carry out the processing according to the instructions provided by the controller, which shall verify the obedience of her/his own instructions and of the rules applicable to the subject and the situation at hand.
Art. 40. The national authority may provide standards of interoperability for purposes of portability, free access to data and security, as well as standards for periods in which records on personal data must be kept, considering the necessity and the transparency.
Section II
Data Protection Officer
Art. 41. The controller shall appoint a data protection officer to be in charge of processing personal data.
I – accepting complaints and communications from data subjects, providing explanations and adopting measures;
II – receiving communications from the national authority and adopting measures;
III – orienting entity’s employees and contractors regarding practices to be taken in relation to personal data protection; and
IV – carrying out other duties as determined by the controller or set forth in complementary rules.
Section III
Liability and Loss Compensation
Art. 42. The controller or the processor that, as a result of carrying out their activity of processing personal data, cause material, moral, individual or collective damage to others, in violation of legislation for the protection of personal data, are obligated to redress it.
I – processors are jointly liable for damages caused by the processing when they do not comply with the obligations of data protection legislation or when they have not followed controller’s lawful instructions. In this last case, the processor is deemed equivalent to the controller, save from cases of exclusion as provided in Art. 43 of this Law;
II – controllers directly involved in the processing from which damages resulted to the data subject shall jointly answer, save from cases of exclusion as provided in Art. 43 of this Law.
Art. 43. Processing agents shall not be held liable only when they prove that:
I – they did not carry out the personal data processing that is attributed to them;
II – although they did carry out the processing of personal data that is attributed to them, there was no violation of the data protection legislation; or
III – the damage arises from the exclusive fault of the data subject or a third party.
Art. 44. Processing of personal data shall be deemed irregular when it does not obey the legislation or when it does not provide the security that its data subject can expect, considering the relevant circumstances of the processing, among which are:
I – the way in which the processing was carried out;
II – the result and the risks that one can reasonably expect of it;
III – the techniques for processing personal data available at the time it was carried out.
Sole paragraph. The controller or the processor who neglect to adopt the security measures provided in Art. 46 of this Law shall be held liable for damages caused by the violation of the security.
Art. 45. When there is a violation of data subject’s rights in the scope of consumer relations, the rules of liability provided in the pertinent legislation shall apply.
Section I
Security and Secrecy of Data
Art. 46. Processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.
Art. 47. Processing agents or any other person that intervenes in one of the processing phases commit themselves to ensure the security of the information as provided in this Law regarding personal data, even following the conclusion of the processing in question.
Art. 48. The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects.
I – a description of the nature of the affected personal data;
II – information on the data subjects involved;
III – an indication of the technical and security measures used to protect the data, subject to commercial and industrial secrecy;
IV – the risks related to the incident;
V – the reasons for delay, in cases in which communication was not immediate; and
VI – the measures that were or will be adopted to reverse or
mitigate the effects
of the damage.
I – broad disclosure of the event in communications media; and
II – measures to reverse or mitigate the effects of the incident.
Art. 49. The systems used for processing personal data shall be structured in order to meet the security requirements, standards of good practices and governance, general principles provided in this Law and other regulatory rules.
Section II
Good Practice and Governance
Art. 50. Controllers and processors, within the scope of their functions, concerning the processing of personal data, individually or by associations, may formulate rules for good practices and governance that set forth conditions of organization, a regime of operation, the procedures, including those for complaints and petitions from data subjects, security norms, technical standards, specific obligations for the various parties involved in the processing, educational activities, internal mechanisms of supervision and risk mitigation and other aspects related to the processing of personal data.
I – implement governance program for privacy that, at the very least:
II – demonstrate the effectiveness of her/his privacy governance program when appropriate and, especially, at the request of the national authority or other entity responsible for promoting compliance with good practices or codes of conduct, which, independently, promote compliance with this Law.
Art. 51. The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.
Section I
Administrative Sanctions
Art. 52. Data processing agents that commit infractions of the rules provided in this Law are subject to the following administrative sanctions, to be applied by the national authority:
I – warning, with an indication of the time period for adopting corrective measures;
II – simple fine of up to two percent (2%) of a private legal entity’s, group or conglomerate revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of fifty million reais (R$ 50,000,000.00) per infraction;
III – daily fine, subject to the total maximum referred to in item II;
IV – disclosure and publicization of the infraction once it has been duly ascertained and its occurrence has been confirmed;
V – blocking of the personal data to which the infraction refers to until its regularization;
VI – deletion of the personal data to which the infraction refers to;
VII – (vetoed);
VIII – (vetoed);
IX – (vetoed);
X – partial suspension of the operation of the database related to the infraction for a maximum period of 6 (six) months, extendable for the same period, until the normalization of the processing activity by the controller; (Included by Law No. 13,853/2019)
XI – suspension of the personal data processing activity related to the infraction for a maximum period of 6 (six) months, extendable for the same period; (Included by Law No. 13,853/2019)
XII – partial or total prohibition of activities related to data
processing. (Included by Law No. 13,853/2019)
§1 The sanctions shall be applied following an
administrative
procedure that will provide opportunity for a full defense, in a
gradual, single or cumulative manner, in accordance with the
peculiarities of the particular case and taking into consideration the
following parameters and criteria:
I – the severity and the nature of the infractions and of the personal rights affected;
II – the good faith of the offender;
III - the advantage received or intended by the offender;
IV – the economic condition of the offender;
V – recidivism;
VI – the level of damage;
VII – the cooperation of the offender;
VIII – repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing the damage, for secure and proper data processing, in accordance with the provisions of item II of §2 of Art. 48 of this Law.
IX – adoption of good practices and governance policy;
X – the prompt adoption of corrective measures; and
XI – the proportionality between the severity of the breach and the intensity of the sanction.
I - only after at least one (1) of the sanctions mentioned in items II, III, IV, V and VI of the lead sentence of this article have been imposed, for the same facts; and
II - in the case of controllers subject to other agencies and entities with sanctioning powers, after those entities and agencies are heard. (Included by Law No. 13,853/2019)
Art. 53. The national authority shall define the methodologies that will be used for the calculation of the base value for fines, by means of its own regulations concerning administrative sanctions for violations of this Law, which must be the object of a public consultation.
Art. 54. The amount of daily fines applied to infractions of this Law shall observe the severity of the infraction and the extent of the damage or losses caused, and with grounded reasoning by the national authority.
Sole paragraph. The notice of imposition of a daily fine shall contain, at the very least, the description of the obligation being imposed, the reasonable timeframe stipulated by the body for compliance and the amount of the daily fine to be applied for non-compliance.
Section I
The National Data Protection Authority (“ANPD”)
Art. 55. (vetoed)
Art. 55-A The National Data Protection Authority (“ANPD”) is hereby created, without any increase in expenses, an entity part of the federal public administration, pertaining to the Presidency of the Republic.
Art. 55-B Technical and operative autonomy is ensured to ANPD.
Art. 55-C ANPD is comprised of:
I - Board of Directors, highest governing body;
II- National Council for Personal Data and Privacy Protection;
III - Internal Affairs Office;
IV - Ombudsman Office;
V - Its own legal advisory body; and
VI - Administrative units and specialized units required for the application of the provisions of this Law. (Included by Law No. 13,853/2019)
Art. 55-D ANPD Board of Directors shall be comprised of five (5) chief officers, including the Chief Executive Officer
Art. 55-E The members of the Board of Directors will only lose their position upon resignation, final and unappealable judicial conviction or dismissal penalty due to disciplinary administrative proceeding.
Art. 55-F The provision set forth in art. 6 of Law No. 12,813, of May 16, 2013 shall apply to the members of the Board of Directors, once their term comes to an end.
Sole Paragraph. Breach to the provisions set forth in the lead sentence of this article shall characterize an act of administrative improbity.
Art. 55-G The ANPD regimental structure shall be determined by an act from the President of the Republic.
Art. 55-H The commission and trust positions of ANPD will be relocated from other bodies and entities of the Federal Executive branch. (Included by Law No. 13,853/2019)
Art. 55-I Those servers in commission and trust positions in ANPD shall be recommended by the Board of Directors and appointed or designated by the Chief Executive Officer. (Included by Law No. 13,853/2019)
Art. 55-J The National Authority has the following duties:
I – to ensure the protection of personal data, as provided in legislation;
II – to ensure the observance of commercial and industrial secrets, as long as the protection of personal data and the confidentiality of information when it is protected by law or when the breach of confidentiality violates the grounds of art. 2 of this Law;
III – to elaborate guidelines for the Personal Data Protection and Privacy National Policy;
IV – to monitor and apply sanctions for data processing that is not compliant with legislation, through an administrative process that ensures right to adversary proceeding, full defense and the right to appeal;
V – to receive pleadings from the data subject against the controller after the data subject has demonstrated that he/she presented a complaint against the controller that was not solved in the timeframe established in regulation;
VI – to promote the knowledge of the norms and public policies on the protection of personal data and of the security measures to the general population;
VII – to promote and elaborate studies on national and international practices for the protection of personal data and privacy;
VIII – to stimulate the adoption of standards for services and products that facilitate the control of data subjects regarding their personal data, which should take into account the specificities of the activities and the size of those responsible;
IX – to promote cooperation initiatives with data protection authorities of other countries, of international or transnational nature;
X – to decide on the forms of publicity regarding personal data processing operations, observing commercial and industrial secrecy;
XI – to request, at any time, that entities of the public authority carry out operations of processing of personal data to give specific report about the scope and nature of the data and other details of the processing, and may issue complementary technical opinion to ensure compliance with this Law;
XII – to draft annual management reports of its activities;
XIII – to amend regulations and procedures on the protection of personal data and privacy, as well as on data protection impact assessment reports in cases in which the processing represents a high risk to the guarantee of the general principles of personal data protection foreseen in this Law;
XIV – to listen to processing agents and to the society in matters of relevant interest and to report on their activities and planning;
XV– to collect and apply its revenues and publish the breakdown of its revenues and expenses in the management report referred to in item XII of the lead sentence of this article;
XVI – to carry out audits, or to determine their occurrence regarding the processing of personal data carried out by processing agents, including public authorities;
XVII – to hold, at any time, agreements with processing agents in order to eliminate irregularities or legal uncertainties in administrative proceedings, in accordance with other provisions in Brazilian Law;
XVIII – to enact rules, guidelines and simplified and special procedures, including deadlines, so that microenterprises and small businesses are able to adapt to this Law, as well as incremental or disruptive business initiatives that declare themselves startups or innovation companies;
XIX – to ensure that data processing of elderly people is carried out in a simple, clear, accessible and adequate form to their understanding, in accordance with this Law the Statute of the Elderly;
XX – to discuss, at the administrative level, on the interpretation of this Law, its authorities and matters on which the Law is silent;
XXI – to report criminal offenses that it becomes aware of to competent authorities;
XXII – to report to the internal control bodies any violation to the provisions set forth in this Law performed by bodies and entities of the federal public administration;
XXIII – to coordinate with public regulatory authorities to exert their authority in specific sectors of economic and governmental activities bound to regulation; and
XXIV – to implement simplified mechanisms, including by electronic means, in order to collect and record complaints on the processing of personal data non-compliant with this Law.
Art. 55-K Applying the sanctions as provided for herein shall be the sole
responsibility of the ANPD, and in matters concerning the protection of
personal data, its powers and jurisdiction shall prevail over the
jurisdiction of other entities or bodies of the public
administration.
Sole Paragraph. ANPD shall articulate its operation and practices with
other bodies and entities with sanctioning and normative powers related
to matters of personal data protection, and it shall be the central body
for the interpretation of this Law and for setting the standards and
guidelines for the implementation thereof. (Included by Law No.
13,853/2019)
Art. 55-L Revenues from ANPD are:
I - budget allocations, provided in the general budget of the Union, special credits, additional credits, transfers and payments that are conferred to it;
II - donations, bequests, subsidies and other resources destined to it;
III - amounts determined in the sale or lease of movable and immovable assets of its property;
IV - amount calculated in financial market applications of the revenues provided in this article;
V – (vetoed);
VI - resources derived from agreements, contracts or similar instruments held with entities, bodies or companies, of either public or private law, national or international;
VII - sums of the sale of publications, technical material, data and information, including for public bidding purposes. (Included by Law No. 13,853/2019)
Art. 56. (vetoed)
Art. 57. (vetoed)
Section II
The National Council for the Protection of Personal Data and
Privacy
Art. 58. (vetoed)
Art. 58-A The National Council of Personal Data Protection and Privacy shall be comprised of 23 (twenty-three) representatives, full representatives and alternates, from the following bodies:
I – five (5) representatives from the federal Executive Branch;
II – one (1) representative from the Federal Senate;
III – one (1) representative from the House of Representatives;
IV – one (1) representative from the National Council of Justice;
V – one (1) representative from the National Council of Public Prosecutors;
VI – one (1) representative from the Brazilian Internet Steering Committee;
VII – three (3) representatives from entities of the civil society with experience related to personal data protection;
VIII – three (3) representatives from scientific, technological and innovative institution;
IX – three (3) representatives from trade union confederations representing the economic categories of the sector;
X – two (2) representatives from entities representatives of the business sector related to the area of personal data processing; and
XI – two (2) representatives from labor sector.
I - shall be appointed as provided for in the regulation;
II - must not be members of the Brazilian Internet Steering Committee (Comitê Gestor da Internet no Brasil);
III - shall have a two-year (2) term, with one reappointment being allowed.
Art. 58-B It is incumbent on the National Council of Personal Data Protection and Privacy to:
I - propose strategic guidelines and provide subsidies for the preparation of Personal Data Protection and Privacy National Policy and for the operation of ANPD;
II - prepare annual reports to evaluate the execution of the actions of the Personal Data Protection and Privacy National Policy;
III – suggest actions to be performed by ANPD;
IV – prepare studies and hold public debates and public hearing on personal data 8 protection and privacy; and
V – disseminate knowledge about the protection of personal data and privacy to the general population. (Included by Law No. 13,853/2019)
Art. 59 (vetoed)
Art. 60. Law No. 12,965, of April 23, 2014 (the “Brazilian Internet Law”), shall henceforth contain the following alterations:
“Art. 7 …
X – permanent deletion of personal data that has been provided to an internet application, upon request, at the termination of the relationship between the parties, except in the situations in which storage of records is obligatory, as provided in this Law and in that which governs personal data protection;…”
“Art. 16…
II – from personal data that are excessive in relation to the purpose for which consent was given by the data subject, except in situations provided in the Law that governs personal data protection.”
Art. 61 The foreign company shall be notified and summonsed of all procedural acts provided in this Law, irrespective of power of attorney or contractual or statutory provisions, in the person of the agent or representative or person responsible for its subsidiary, agency, branch, establishment or office located in Brazil.
Art. 62. The national authority and the Anísio Teixeira National Institute for Educational Studies and Research (Inep), within the scope of their regulatory capacity, shall enact specific regulations for accessing data processed by the Union for compliance with the provisions of §2 of Art. 9 of Law No. 9,394, of December 20, 1996 (the “Directive and Bases of National Education Act”), and those relating to the National Higher Education Evaluation System (Sinaes), as provided in Law No. 10,861, of April 14, 2004.
Art. 63. The national authority shall establish rules on the progressive suitability of databases established up to the date this Law comes into force, taking into account the complexity of the data processing operations and the nature of the data.
Art. 64. The rights and principles expressed in this Law do not exclude others provided in the Brazilian legal system related to the matter or in international treaties to which the Federative Republic of Brazil is a party.
Art. 65. This Law shall come into force: (New Wording Given by Law No. 13,853/2019)
I – December 28, 2018, as for articles 55-A, 55-B, 55-C, 55-D, 55-E, 55-F, 55-G, 55-H, 55- I, 55-J, 55-K, 55-L, 58-A e 58-B; and
I-A – August 1st, 2021, as for arts. 52, 53 and 54; (Included by Law No. 14,010/2020)
II – 24 (twenty-four) months following its official publication, as for the other articles (Included by Law 13,853/2019).
II – May 3rd, 2021, as for the other articles (New Wording Given by Provisional Measure No. 959/2020) (Converted into Law No. 14,058,/2020)
II – 24 (twenty-four) months following its official publication, as for the other articles.” (Included by Law No. 13,853/2019)
Brasília, August 14, 2018.
As a regulated and responsible payment company, Vamospago is committed to ensure that its activities comply with legal, regulatory as well as ethical standards, at all times.
Therefore, Prohibitions or Restrictions apply in relation to certain activities, businesses, flows and/or transactions (hereinafter, collectively, “Activities”) that may be carried out by Vamospago, its Partners as well as by their customers “End-users”.
Vamospago reserves the right to amend this list, at its entire and sole discretion, on the basis of legal or regulatory requirements as well as the evolution of Vamospago’s own risk appetite.
Prohibitions and Restrictions may apply also in those cases where Activities are conducted on an ancillary or accessory basis.
Vamospago’s appetite for Activities may evolve with time. Certain Prohibited or Restricted Activities may have been accepted in the past and some of them still be supported by Vamospago during the contractual relationship, with no right on Vamospago to immediately terminate the relevant business relationships. A past accepted history cannot be deemed as the immutable acceptance, neither be taken as a reference for other new merchants.
The list of Prohibitions and Restrictions constitutes a reference framework and should not be considered as being exhaustive.
Vamospago does not intend to conduct business with any charities, trust, legal agency, political parties, religious organizations or similar institutions. We cannot accept businesses which sell illegal products or are involved in any illegal activity. Some businesses are legal only when complying with some specific laws or rules. They either should have special licenses or age verification. The prohibited list is not exhaustive to include all types of illegal activities or services:
The following categories of Activities are Restricted and can be accepted only on the basis of formal approval by Vamospago’s compliance team.
When the merchant is involving in provisions of services related to specified activities, a local authorization/licence or equivalent legal opinion is required as mandatory:
If you are not sure whether your business falls into the Prohibited Activities category, feel free to contact us at compliance@Vamospago.com. Our team of devoted risk analysts will take every aspect of your specific company into consideration in order to make the right decision.
To better serve all our clients and partners, we have the highest level of security standards recognized by the payments industry.
版权所有 © 2024 VamosPago.