ANVISA’s Personal Data Protection Policy is released

On October 19, 2023, the Federal Official Gazette (DOU) published Administrative Order 1,184/2023, which provides for the National Health Surveillance Agency’s (Anvisa) conformity with the Personal Data Protection Policy and, consequently, the compliance of its internal processes with the General Personal Data Protection Law – Law 13.709/2018 (LGPD).

Anvisa’s aim is to implement internal guidelines for the protection of personal data. It also aims to comply with legislation when carrying out its activities, safeguarding privacy through rules and guidelines; which on one side preserve transparency and access to public information, and on the other side aim to protect the freedoms and rights of individuals. In this way, the Policy is targeted at the processing of personal data, safeguarded by the Agency, which will be done through its civil servants, employees, contractors, trainees, suppliers, service providers, or anyone involved in the Agency’s processes.

In this sense, the Policy determines that Anvisa’s personal data processing activities should be configured within parameters and principles, observing good faith:

Free Access: guarantee data subjects information for free, with easy consultation, about how their data will be processed and for how long, in accordance with Art. 6, IV of the LGPD;

Security: use technical and administrative measures with the aim of guaranteeing the protection of personal data from unauthorized access; and from adverse or illicit situations in the attempt to destroy, lose, alter, communicate, or disseminate the personal data of a data subject, according to Art. 6, VII of the LGPD;

Prevention: adopting preventive measures, in order to prevent possible incidents of damage as a result of the processing of personal data, in accordance with Art. 6, VIII of the LGPD; and

Responsibility and Accountability: demonstrate and prove that it has adopted efficient and appropriate measures for observing and complying with the rules on the protection of personal data, as provided for in Art. 6, X of the LGPD.

Some of the areas of ANVISA’s activities that require data processing include: product registration and renewals at ANVISA; applications for certificates and authorizations; complaints and notifications of adverse situations; applications for health inspections and inspections; and requests made to ANVISA by the public.

The publication of ANVISA’s Personal Data Protection Policy is in harmony with the objectives proposed in the Agency’s 2020-2023 Strategic Plan, which establishes the goal of improving regulatory quality in health surveillance, strengthening technical excellence in management and regulation and modernizing data processing systems.

For more content related to this matter, don’t hesitate to contact us at regulatorio@kasznarleonardos.com and digital@kasznarleonardos.com.