On December 4, 2020, the Superintendence of Private Insurance (SUSEP) published a Circular that provides for the data and information security and confidentiality policy of registration entities that are accredited by SUSEP to provide the service of registering insurance operations, supplementary pension plans, capitalization and reinsurance.
The Circular, which was already submitted for public consultation, consolidates minimum standards that must be adopted by the accredited registration entities, within the scope of the data security and confidentiality policy.
The rule prohibits: (i) the commercialization or making freely available of registered data and information, except with the express consent of the holder; (ii) the use or processing of registered data and information, except when complying with the requirements of current legislation and the conditions contractually established with the supervised entities; and (iii) the exchange of information with other registration entities, except in the case of data portability.
Furthermore, it is appropriate to point out that the Circular determines that, should the registering entity fail to provide the service in question, it must port the data and information to another registration system approved by SUSEP.
It is also important to highlight that the rule establishes that the registration entities shall be held liable for any damages caused as a result of the improper processing of data and information.
Finally, it is worth noting that the Circular meets the guidelines for the protection of personal data established by Law No. 13,709, of August 14, 2018 (Brazilian General Data Protection Law – LGPD), which recently came into force.
Demarest’s Insurance and Reinsurance team is available to provide any clarifications on the subject.