Respecting principles in data sharing

Abstract

The scope of the article is to provide recommendations on how to structure contractual clauses for the sharing of personally identifiable information between a controller and a processor. We initiate the article by commenting the first guide published by the National Data Protection Authority with non-binding guidelines regarding processing agents and the Brazilian Data Protection Officer. The guide is the first of its kind published by the Brazilian regulatory authority and is divided into seven chapters. We decided to divide this item into eight relevant topics, which are: processing agents; controller; joint controllership; singular controllership; processor; subcontracted processors; encharged: the Brazilian DPO. Additional comments. Later, we summarize the civil liability framework for processing agents designed by the Brazilian General Data Protection Law. From this moment on, we focus on straightforward recommendations regarding issues that deserve special attention in the negotiation of contractual agreements that deal specifically with personally identifiable information. Then, we broaden the scope of the recommendations to the theoretical level, in order to define bases for a legal reasoning that, through the use of principles, works as a guideline capable of directing interpreters in abstract cases of data sharing. Finally, we conclude with an overview of the ideas presented in the article.