New data protection law in Paraguay

New law

After several years of debate, Paraguay has enacted a personal data protection law, establishing a legal framework governing the processing of personal data and recognizing data protection as a legally protected interest based on the GDPR. THis is the fourth law approved in Latin America based fully on the GDPR after the laws of Brazil, Ecuador and Chile were approved.

Text of the Law in English
National Congress
Law No. 7593 On the Protection of Personal Data in the Republic of Paraguay
The Congress of the Paraguayan Nation enacts with the force of law:
Title I — General Provisions
Chapter I — Purpose and Scope of Application
Article 1 — Purpose of the Law
This law aims to provide comprehensive protection for the personal data of natural persons in order to guarantee the full exercise of their rights and the free flow of information, in accordance with the provisions of the Constitution, international treaties, agreements, and conventions to which the Republic of Paraguay is a party.
Article 2 — Scope of Application

1. This law applies to any processing of personal data, whether wholly or partially automated, as well as to non-automated processing where personal data form part of a file, or are intended to be part of a file, carried out by natural or legal persons, regardless of the means, country of establishment, or country where the data are located, in the following cases:
   ○ a) By a controller or processor established in the Republic of Paraguay, even if the processing is carried out in another country;
   ○ b) By a controller or processor not established within national territory, in the following cases:
   ■ i. when processing data of natural persons located in Paraguayan territory, except where the purpose is mere transit;
   ■ ii. when processing activities are related to the offering of goods or services directed at residents of the Republic of Paraguay; and
   ■ iii. when processing activities are related to monitoring the behavior of natural persons, insofar as such monitoring takes place within the territory of the Republic of Paraguay.
2. This law shall not apply in the following cases:
   ○ a) Processing of personal data destined exclusively for activities within the scope of the family or domestic life of a natural person, which are not intended for disclosure or commercial use; and
   ○ b) Processing of data for public security purposes, relating to immigration, defense, national security, and activities in criminal matters, investigation, and crime suppression. In such cases, rights and fundamental freedoms must be respected at all times and applied as necessary and proportionate to the pursued aim, observing the general principles of personal data protection as well as the minimum safeguards established in this law, to the extent compatible with the nature of the processing.
   Article 3 — Definitions
   For the purposes of this law, the following definitions apply:
3. Anonymization: The application of measures of any nature aimed at preventing or hindering the identification or re-identification of a natural person.
4. Data blocking: The identification and confidentiality of personal data, adopting technical and organizational measures to prevent their processing, including their display, except for making data available to judges and courts, the Public Prosecutor’s Office, and other competent public authorities, in the form and conditions established by applicable rules.
5. Consent: Any free, express, specific, informed, and unequivocal manifestation of will by which a natural person accepts and authorizes, whether through a declaration or a clear affirmative action in writing or by electronic means, or by any equivalent means permitted by technology, the processing of their own personal data or of the person they represent.
6. Biometric data: Personal data obtained from a specific technical process, relating to the physical and/or physiological characteristics of a person, enabling or confirming the unique identification of that person, such as facial images, iris recognition, or fingerprint data.
7. Genetic data: Personal data relating to inherited genetic characteristics that provide unique information about a person’s physiology or health, obtained particularly from the analysis of a biological sample from the person.
8. Personal data: Information of any type relating to identified or identifiable natural persons. A person shall be deemed identifiable when they can be identified, directly or indirectly, by means of an identifier or by one or more elements characteristic of their physical, physiological, genetic, psychological, economic, cultural, or social identity.
9. Sensitive personal data: Data relating to racial or ethnic origin; religious, philosophical, or moral beliefs or convictions; trade union or political affiliation; data relating to health; sexual preference or orientation; genetic data; or biometric data intended to uniquely identify a person; and all data whose improper use may give rise to discrimination or pose a serious risk to the data subject.
10. Profiling: The result of personal data processing carried out in an automated or semi-automated manner to evaluate certain aspects of a natural person, to analyze or predict matters relating to professional or labor performance, economic situation, health, personal preferences, behavior, interests, and others that may be contemplated in regulation.
11. Processor: The natural or legal person, public or private, who processes personal data on behalf of and under the instructions of the controller.
12. Data protection impact assessment: A prior analysis for those data processing activities that may pose a risk to the rights and freedoms of persons.
13. Personal data security incident: An occurrence that results in the accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or otherwise processed, or the unauthorized communication of or access to such data.
14. Controller: The natural or legal person, public or private, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
15. Third party: A natural or legal person, national or foreign, public or private, other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or processor, are authorized to process personal data.
16. Data subject: The natural person to whom personal data refer or pertain.
17. International data transfer: The transfer of personal data between two or more persons, whether controllers or processors, where at least one of them is established in a jurisdiction outside the Republic of Paraguay.
18. Processing: Any operation or set of operations carried out by manual, automated, or partially automated procedures performed on personal data, including, by way of example and not limitation, obtaining, access, collection, recording, organization, structuring, adaptation, indexing, modification, extraction, consultation, storage, conservation, blocking, elaboration, transfer, assignment, dissemination, possession, utilization, and in general any use or disposition of personal data.
    Article 4 — General Principles of Personal Data Protection
    The processing of personal data shall be governed by the following principles:
    ● a) Data accuracy: Data shall be accurate. The accuracy of data provided by the data subject is presumed. Processed data must precisely reflect the information provided by the data subject. Controllers and processors shall adopt all reasonable measures to update data and ensure inaccurate data are deleted or rectified without delay.
    ● b) Lawfulness: Personal data must be processed lawfully and fairly, in accordance with the provisions and principles established in the law. The controller must be able to demonstrate the lawfulness of the personal data processing it performs.
    ● c) Purpose limitation: Personal data must be collected and processed for specified, explicit, legitimate, and time-limited purposes, and shall not be processed subsequently in a manner incompatible or different from those purposes.

Further processing for archiving in the public interest, scientific or historical research, or statistical purposes shall not be considered incompatible with the initial purposes, provided measures are adopted to ensure respect for the principle of data minimization.
● d) Minimization or proportionality: Personal data processed shall be strictly limited to those necessary, adequate, and relevant in relation to the purposes of the processing and may be retained only for the time necessary to fulfill the purposes of the processing. Regulation shall determine cases in which, by exception and in view of historical, statistical, scientific, or administration of justice values, personal data may be retained even when such necessity or relevance has expired.
● e) Storage limitation: Data may not be retained for longer than necessary for the purposes of the processing. The supervisory authority shall establish deadlines for deletion and/or periodic review. Further processing of personal data for archiving in the public interest, scientific or historical research, or statistical purposes shall not be considered incompatible with the initial purposes, provided they are anonymized or pseudonymized.
● f) Fairness and transparency: Personal data shall be processed fairly and transparently in relation to the data subject.
The data controller must provide the data subject, in clear and simple language, with all information about the existence and main characteristics of the processing to which their data will be subject, as well as the information necessary to exercise the rights established by law. This information must be permanently accessible through means that are easily accessible to the data subject.
● g) Balancing public transparency and protection: The obligation to publish acts of State Bodies and Entities must take into account the principles of personal data protection established in this law and, in particular, the principle of minimization. The publication and dissemination of personal data shall proceed where their inclusion is necessary and proportionate to the transparency purpose pursued through publicity in the specific case. Personal data exceeding such purpose, or whose publication is unnecessary, must be excluded or redacted from acts or documents to be published. Publication of sensitive data is prohibited.
● h) Due diligence: The party responsible for the database or data controller and the processor, as applicable, must adopt appropriate measures, including privacy by design, privacy by default, data protection impact assessments, designation of a data protection officer, among others, to ensure proper personal data processing and to demonstrate effective implementation.
● i) Security: Technical and organizational measures must be adopted in the processing of personal data to ensure data security, aiming to prevent alteration, loss, accidental destruction or damage, or unauthorized or unlawful processing or access. In the case of data defined as sensitive, additional measures may be adopted to guarantee security, which will be determined in regulation under this law.
● j) Confidentiality: Controllers and processors of personal data, as well as every person involved at any stage of processing, are subject to a duty of confidentiality, which shall continue even after their relationship with the data subject ends. They may be released from the duty of confidentiality by court order or legal obligation.
Title II — Processing of Personal Data
Chapter I — Legal Bases for Processing Personal Data
Article 5 — Conditions
Personal data may only be processed if at least one of the following conditions is met:

1. When the data subject gives consent for one or more specific purposes, in accordance with this law;
2. When processing is necessary for the controller’s compliance with a legal obligation;
3. For the necessary and proportionate processing and shared use of data by State Bodies and Entities for the exercise of their own functions and the execution of public policies, provided by laws and regulations, subject to this law;
4. When processing personal data is necessary for the performance of a contract or pre-contractual measures related to a contract to which the data subject is a party, at the data subject’s request;
5. When necessary for the regular exercise of rights in judicial, administrative, or arbitral proceedings;
6. When processing is necessary for the satisfaction of legitimate interests pursued by the controller or by a third party, except where the data subject’s interest or fundamental rights and freedoms prevail, which require protection of personal data, particularly where the data subject is a child or adolescent. This item does not apply to personal data processing carried out by the State within the limitations provided in the Constitution and this law; and
7. For the protection of the life, physical or psychological safety, and/or the protection of the health of the data subject or of a third party, exclusively in a procedure carried out by health professionals, health services, or the health authority within the limits of its competence, or for the legal protection of a natural person ordered by a competent authority in judicial proceedings.Regulation shall determine appropriate measures according to the types of data, processing, and controllers, as well as the timing for their review and updating.
   Article 6 — Conditions for Consent
   Where the legal basis for processing personal data is consent, it must be prior, free, informed, and unequivocal, for one or more specified purposes, either through a declaration or a clear affirmative action.
   If the data subject’s consent is given in the context of a written declaration that also refers to other matters, the request for consent must be presented in a manner clearly distinguishable from the other matters, intelligible, easily accessible, and using clear and simple language. Any declaration or part thereof that infringes this law shall not be binding.
   The data subject has the right to withdraw or revoke consent at any time and must be informed thereof before granting consent. The controller must establish simple, agile, effective, and free mechanisms for exercising this right, which may not be more complex than the processes established for granting consent. Withdrawal or revocation of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.
   In all cases, the controller bears the burden of demonstrating that the data subject consented to the use of their personal data.
   Article 7 — Consent of Children and Adolescents
   In the processing of the personal data of a child or adolescent, the protection of their best interests shall prevail, in accordance with the Constitution, the Convention on the Rights of the Child, other international legal instruments ratified by the Republic of Paraguay and the applicable legislation.
   Processing personal data of persons under sixteen years of age, whether sensitive or not, requires the prior, express, and informed consent of the holder of parental authority, guardianship, or legal custody.
   In the case of adolescents aged sixteen or older and up to the age of majority, processing of sensitive personal data requires the express consent of the adolescent, together with authorization from the holder of parental authority, guardianship, or legal custody.
   In all cases, consent must be provided under conditions that guarantee understanding of its scope, using clear means and language appropriate to the child or adolescent’s age and development. The information referred to in this article must be provided in a simple, clear, and accessible manner, considering the physical-motor, perceptual, sensory, intellectual, and mental characteristics of the data subject or those who exercise parental authority, guardianship, or legal custody, using audiovisual resources where appropriate.
   Article 8 — Legitimate Interest
   The legitimate interest of the controller or of a third party constitutes a legal basis for processing personal data, provided that the processing is necessary to satisfy such interest and the fundamental rights and freedoms of the data subject do not prevail.
   Processing based on legitimate interest requires that it be carried out within a relevant and appropriate relationship between the data subject and the controller, and always in line with the data subject’s reasonable expectations.
   The controller must process strictly necessary data and adopt measures to guarantee transparency of such processing, informing the data subject of the legitimate interest pursued.
   The supervisory authority may require the controller to conduct a prior analysis on personal data protection that justifies its legitimate interest and the need to collect or process data in each case, while observing trade and industrial secrets.
   The data subject shall have the right to object at any time, for reasons related to their particular situation, to the processing of their personal data by challenging the controller’s legitimate interest.
   Chapter II — Obligations of the Controller and the Processor
   Article 9 — Controller
   Taking into account the nature, scope, context, and purposes of the processing, as well as risks of varying probability and severity to the rights and freedoms of data subjects, the controller shall apply appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is carried out in conformity with this law and its regulation. Such measures shall be reviewed and updated when necessary.
   Regulation shall determine the measures applicable according to data types, processing, and controllers, the timing for their review and updating, and protection measures by design and by default.
   Article 10 — Joint Controllers
   When two or more controllers jointly determine the purposes and means of processing, they shall be considered joint controllers. The joint controllers shall transparently and by mutual agreement determine their respective responsibilities inter partes in fulfilling the obligations imposed by this law. Such agreements, although they may designate a common point of contact for data subjects, shall not exonerate the joint controllers from their joint and several responsibility towards the data subject.
   Regardless of the terms of the agreement referred to above, data subjects may exercise their rights against each controller, jointly or separately.
   Article 11 — Processor
   Where processing is carried out on behalf of a controller, it may only be performed by a party offering sufficient guarantees to apply appropriate technical and organizational measures, so that the processing complies with the requirements of this law and ensures the protection of the data subject’s rights.
   In such cases, processing shall be governed by a contract or other legal act authorizing such delegation in accordance with the legal system, which must establish, without prejudice to other elements, the object, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
   The processor may also delegate such processing to another processor, in which case the prior paragraph’s requirements must be met. Delegation in this sense does not exclude the delegating processor’s responsibility to the controller regarding fulfillment of the delegated processor’s obligations.
   If a processor determines the purposes and means of processing, in violation of this law, it shall be considered a controller with respect to that processing and liable to whomever has the right to claim.
   Article 12 — Representatives of Controllers or Processors Not Established in the Republic of Paraguay
   Regulation under this law shall establish the cases and conditions under which controllers or processors are required to appoint a representative.
   The representative may respond to requests made by the data subject or the supervisory authority.
   Article 13 — Binding Self-Regulation Mechanisms
   The supervisory authority shall promote the development of binding self-regulation mechanisms aimed at contributing to the proper application of this law.
   Binding self-regulation mechanisms may consist of codes of conduct, codes of best practices, binding corporate rules, trust seals, certifications, or other mechanisms that help to achieve the stated objectives, and regulations may establish the requirements necessary for their approval by the supervisory authority.
   Codes of conduct may include out-of-court dispute resolution mechanisms, but the use of such mechanisms must not entail additional costs for the data subject or require the data subject to undertake disproportionate travel away from their place of residence.
   Article 14 — Impact assessment
   Before implementing personal data processing operations that, by their nature, scope, context, or purposes, may pose significant risks to the rights of data subjects, the data controller must conduct an impact assessment of such operations on the protection of personal data.
   An impact assessment relating to data protection is mandatory in the following cases:
   ● a) Systematic and comprehensive evaluation of personal aspects of data subjects based on automated processing, including profiling, and on the basis of which decisions are made that produce legal effects for natural persons or similarly significantly affect them;
   ● b) Large-scale processing of sensitive data or personal data relating to criminal convictions and offenses; or
   ● c) Systematic large-scale monitoring in publicly accessible areas.
   The supervisory authority shall establish and publish a list of the types of processing operations that require a data protection impact assessment, in accordance with the first paragraph of this article. It may likewise establish and publish a list of processing types that do not require such data protection impact assessments.
   The content of the impact assessment shall be established in the regulation of this law.
   Article 15 — Prior consultation
   The data controller shall consult the supervisory authority before initiating the processing when an impact assessment shows that the processing would involve a risk if the data controller does not adopt measures to mitigate it.
   The data controller may not initiate the data processing until the supervisory authority has issued an opinion on the report.
   Within thirty business days from the consultation, the supervisory authority must advise the data controller or data processor in writing, in accordance with the functions established in this law. This period may be suspended in extraordinary circumstances for justified cause and only until the supervisory authority has obtained the information requested for the purposes of the consultation.
   Article 16 — Security measures
   The data controller and the data processor shall periodically carry out a series of actions that ensure the establishment, implementation, operation, monitoring, review, maintenance, and continuous improvement of the security measures applicable to the processing of personal data.
   The supervisory authority shall regulate the minimum technical conditions of security and integrity that must be applied by data controllers and data processors.
   Article 17 — Notification of a personal data security incident to the supervisory authority and to the data subject
   In the event of a personal data security incident, the data controller shall notify the supervisory authority and, where applicable, the data subject, within a period not exceeding seventy-two hours from the moment it became aware of the incident. The conditions and requirements shall be established in the regulation of this law.
   Article 18 — Data Protection Officer
   The data protection officer is the person appointed to collaborate in and supervise compliance with rules relating to the protection of personal data.
   Data controllers and data processors must appoint a data protection officer in the cases to be established in the regulation of this law.
   The data protection officer shall be appointed based on professional qualities and the ability to perform the functions to be established in the regulation of this law.
   A corporate group may appoint a single data protection officer provided the parameters set forth in this law are met and the data protection officer is easily accessible from each establishment. When the data controller or data processor is a public authority or body, a single data protection officer may be appointed for several such authorities or bodies, considering their organizational structure and size.
   The data protection officer may be part of the staff of the data controller or data processor or perform functions under a service agreement.
   The regulation shall establish other aspects relating to the data protection officer.
   Chapter III — International data transfers
   Article 19 — General rules for international transfers of personal data
   Transfers of personal data outside national territory, including onward transfers, may only be carried out if the destination country, territory, sector, or international organization offers an adequate level of protection, in accordance with this law.
   Adequacy shall be evaluated by the National Agency for Personal Data, which shall determine such adequacy by reasoned decision or by publishing an official list, in line with the principles, rights, and safeguards established in this law.
   If the destination country does not offer an adequate level of protection, the data controller or data processor must adopt appropriate safeguards to ensure that the processing of personal data is carried out in accordance with this law. Such safeguards may consist, among others, of specific or standard contractual clauses, binding corporate rules, codes of conduct, or certification mechanisms, always in accordance with the regulation of this law.
   The foregoing does not apply in the following cases:
8. Agreements under international treaties to which the Republic of Paraguay is a party;
9. International judicial cooperation;
10. International cooperation among intelligence agencies to fight against terrorism, illicit drug trafficking, money laundering, corruption, human trafficking, and other forms of criminality;
11. When personal data are necessary for the performance of a contractual relationship in which the data subject is a party, including activities such as user authentication, service improvement and support, service quality monitoring, account maintenance and billing support, and any activities required for managing the contractual relationship;
12. In banking or securities transfers, in relation to the respective transactions and in accordance with applicable law;
13. When cross-border flows of personal data are carried out for the protection, prevention, diagnosis, or medical or surgical treatment of the data subject; or when necessary for epidemiological or similar studies, provided that appropriate anonymization procedures are applied;
14. When the data subject has given prior, informed, express, and unequivocal consent;
15. When the data controller offers and demonstrates guarantees of compliance with the principles, the data subject’s rights, and the data protection regime provided in this law, in the form of:
    ○ a) Specific contractual clauses for a given transfer;
    ○ b) Standard contractual clauses;
    ○ c) Global corporate rules; and
    ○ d) Seals, certificates, and codes of conduct issued periodically.
    Chapter IV — Processing of certain categories of personal data
    Article 20 — Processing of sensitive data
    Processing of sensitive personal data is prohibited unless:
16. The data subject has given consent for the processing of such personal data, except where the law establishes that the prohibition cannot be overridden by the data subject’s consent; consent shall be ineffective if it is not free, informed, or unequivocal, or if consent has been imposed directly or indirectly on the data subject;
17. The processing concerns personal data that the data subject has made manifestly public;
18. The processing is necessary for the fulfillment of obligations and the exercise of specific rights of the data controller or the data subject in the field of labor law and social security, to the extent authorized by the legal system and provided adequate safeguards are established to ensure respect for the fundamental rights of data subjects;
19. The processing is necessary to protect the vital interests of the data subject, where the data subject is physically or legally incapable of providing consent and their legal representatives cannot provide it in a timely manner;
20. The processing is carried out, within the scope of legitimate activities and with appropriate safeguards, by a foundation, association, or any other non-profit body whose purpose is political, philosophical, religious, or trade union, provided the processing refers exclusively to current members of such bodies or to persons who maintain regular contact with them in relation to their purposes, and provided personal data are not communicated outside these bodies without the data subjects’ consent;
21. The processing is necessary for the formulation, exercise, or defense of claims or when the competent judicial authorities act in the exercise of their judicial function;
22. The processing is necessary for reasons of public interest in the field of public health by the competent health authority, such as protection against serious cross-border health threats, or to ensure high levels of quality and safety of healthcare or the provision of food and of medicines or health or food products, with adequate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy;
23. The processing is necessary for preventive or occupational medicine, assessment of the worker’s work capacity, medical diagnosis, provision of healthcare or social care or treatment, or management of healthcare and social care systems, in compliance with special regulations or under an agreement with a healthcare professional. Personal data under this subsection may be processed provided such processing is carried out by a professional subject to an obligation of professional secrecy or confidentiality, or under his or her responsibility, or by any other person subject to a duty of secrecy under the legal system;
24. The processing is carried out within the framework of humanitarian assistance in cases of natural disasters;
25. The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, which must be proportionate to the objective pursued, respect the essence of the right to data protection, and establish adequate and specific measures to protect the fundamental interests and rights of the data subject. The data must be effectively anonymized; and
26. The processing and shared use of the necessary and proportionate data by the State powers, for the exercise of their own functions and the execution of public policies provided in laws and regulatory standards.
    Article 21 — Processing of credit data
    The protection of credit data, the regulation of the collection activity and the access to credit data, as well as the incorporation, organization, operation, rights, obligations, and dissolution of legal entities dedicated to obtaining and providing credit information, shall be governed by the specific law in force.
    Except for functions and powers expressly assigned to the Central Bank of Paraguay, the others granted for implementing the law regulating credit data shall be exercised by the supervisory and control authority established by this law.
    This law shall apply supplementarily to matters not provided in the law regulating credit data, insofar as they are compatible with the nature of such information.
    Article 22 — Processing for video surveillance purposes
    Natural or legal persons, public or private, may process images and sounds through camera or video systems for the purpose of preserving the security of persons and property, as well as their facilities.
    Images and sounds of the public way may be captured only to the extent necessary for the purpose mentioned in the previous paragraph.
    However, it shall be possible to capture images and sounds of the public way to a greater extent when necessary to ensure the security of strategic property or facilities, or of transport-related infrastructure, provided that in no case may this imply capturing images or sounds from inside a private residence.
    Data that must be retained to prove the commission of acts that threaten the integrity of persons, property, or facilities must be made available to the competent authority to take action in the investigation and prosecution of criminal and/or administrative offenses within a maximum period of seventy-two hours from becoming aware of the existence of the recording, notwithstanding the investigative powers of competent authorities within the framework of an open investigation.
    Excluded from the scope of this article is the processing by a natural person of images and sound that only capture the interior of their own residence.
    This exclusion does not extend to the processing carried out by a private security entity contracted to guard a residence and that has access to such recordings.
    Article 23 — Processing of data of a criminal nature, administrative offenses, and sanctions
    Processing of personal data relating to criminal acts, as well as related procedures and injunctive and protective reliefs, shall be governed by the respective law.
    Processing of data relating to administrative offenses and sanctions shall be governed by its respective law.
    Technical and organizational measures shall be adopted to ensure respect for the principle of minimization and other data protection principles and provisions.
    Chapter V — Processing of data in the public sector
    Article 24 — Access to Public Information and Data Protection
    The right of access to information contained in public sources may be denied or limited when such measure is necessary to avoid concrete harm to the protection of private interests inherent in the protection of personal data, in accordance with the rules and principles established in this law and the procedure provided in this article.
    The exception to public information access shall apply only when the harm caused to the protected interest is greater than the public interest in obtaining access to the information.
    The established exception shall not apply when:
    ● a) The person has expressly consented to the disclosure of their personal data;
    ● b) Case circumstances clearly show that the information was delivered to the obligated subject as part of information that must be subject to publicity;
    ● c) The information is found in publicly accessible sources, notwithstanding special laws;
    ● d) The information is public in nature according to the legislation in force at the time of access;
    ● e) There is a court order from a competent body that requires or authorizes its publication;
    ● f) For reasons of national security and public health, publication is required; and
    ● g) Information is transmitted among public law entities and between them and subjects of international law, under treaties and inter-institutional agreements, provided the information is supplied solely for the exercise of their own powers.
    If the State Body or Entity to which an access-to-information request is addressed notes that it could interfere with the right to personal data protection, it must notify the data subject concerned within no more than three business days after receiving the request.
    The data subject shall have five business days to lodge a reasoned objection to the request for access to the personal data concerning them. If the data subject files an objection based on the right to personal data protection within the legal period, the receiving State Body or Entity must request a non-binding opinion from the supervisory authority on the compatibility of the access request with an adequate level of personal data protection. The supervisory authority must issue its opinion within five business days.
    If there is an objection, State Bodies and Entities shall have five business days to decide on the access request, counted from receipt of the supervisory authority’s opinion or from expiry of the legal period for issuing it. If the access request is granted despite the data subject’s objection, the State Body or Entity shall notify the data subject and the requester of the requested data or documents within three business days.
    In cases of total or partial denial of access or lack of response within the period indicated, the requester may bring judicial action under Title V of Law No. 5282/2014 “On Free Citizen Access to Public Information and Government Transparency”.
    Article 25 — Exchange of personal data among public institutions
    Communication of personal data among public institutions shall be lawful to the extent that:
27. The public institution responsible for the database has obtained the data in the exercise of its legally assigned functions and powers;
28. Processing by the public institution receiving the database is necessary to fulfill its legal functions, and the purpose of such processing falls within the scope of its powers;
29. The data involved are adequate, proportionate, and do not exceed what is necessary in relation to this latter purpose; and
30. The data subject of sensitive data has given consent or an exception established in Article 20 of this law applies.
    Title III — Rights related to personal data
    Sole Chapter — Rights of data subjects
    Article 26 — General provisions on the exercise of rights
    Notwithstanding other rights arising from the provisions of this law, the data subject or his or her representative may, at any time, request from the data controller or data processor access, rectification, erasure, objection, and portability of the personal data concerning the data subject.
    Exercising any of the mentioned rights is not a precondition for and does not preclude the exercise of another.
    The data controller must establish simple, expeditious, accessible, and free means and procedures that allow the data subject to exercise these rights. The data subject’s request must be addressed by the data processor or data controller within a maximum period of thirty calendar days from submission of the request, notwithstanding regulation establishing a shorter period.
    After the period expires without the request being satisfied, or if, in the data subject’s view, the response is insufficient, the data subject may appeal to the supervisory authority or, as appropriate, file a habeas data action.
    If the data subject opts for habeas data, or has previously exercised it, he or she may not initiate proceedings before the supervisory authority. The exercise of the rights provided in this Chapter is inalienable.
    Article 27 — Right to information
    The data subject has the right to receive sufficient and easily accessible information, in clear, simple, and easily understandable language, particularly when addressed to children or adolescents or persons with disabilities, about how their personal data are processed, whether provided directly or not.
    At the time of obtaining the data, the controller shall provide the data subject at least the following information:
31. The categories of personal data to be processed;
32. The identity and contact details, which at a minimum shall include the legal address, telephone number, and email address or equivalent channel;
33. The legal basis and the purposes of the processing to which the personal data will be subjected to;
34. The communications or international transfers of personal data that the data controller intends to carry out, including the recipients or categories of recipients and the purposes that motivate such transfers;
35. The existence, form, and mechanisms or procedures through which you may exercise the rights of access, rectification, objection, erasure, and portability;
36. The retention period for the personal data, or, failing that, the criteria used to determine the period of time;
37. The existence of automated decisions, including profiling, and, at least in such cases, meaningful information about the logic applied, without prejudice to the data controller’s intellectual property rights;
38. Where applicable, the source of the personal data when the data controller has not obtained them directly from the data subject; and,
39. The right to lodge a complaint with the supervisory authority.

The information provided, as well as any communication and any action taken, must be free of charge. Where requests are manifestly unfounded or excessive, particularly because of their repetitive nature, the controller may: a) charge a reasonable fee based on the administrative costs incurred to provide the information or communication or to take the requested action; or b) refuse to act on the request.
The data controller shall bear the burden of demonstrating that the request is manifestly unfounded or excessive.
The data controller must keep a detailed record of denied requests and the reasons for such denial.
Title III — Rights related to personal data
Chapter — Rights of data subjects
Article 28 — Right of access
The data subject has the right to request and obtain access to their personal data held by the data controller or data processor and/or a copy thereof, upon prior proof of identity. The information must be provided in a clear, intelligible form, free of encodings and, if necessary, accompanied by an explanation of any terms used, in language understandable to the data subject. In no case may the report disclose data belonging to third parties, even when linked to the data subject, except where such data have been provided by the interested data subject.
Article 29 — Right of Rectification
The data subject has the right to obtain from the data controller the rectification of their personal data when they are false, erroneous, incomplete, or not up to date.
In the event of assignment or international transfer of erroneous or outdated data, the data controller must notify the rectification to the assignee within five business days of becoming effectively aware of the falsehood, error, inaccuracy, or outdated nature of the data.
During the process of verifying and rectifying the error, inaccuracy, falsehood, or outdated nature of the information in question, the data controller must block the data or, must inform, when providing information related to it, that it is under review for those reasons.
Article 30 — Right to Object
The data subject has the right to object, at any time and for reasons related to his or her particular situation, to the processing of personal data that concernsg him or her, including profiling based on those provisions.
When the data subject objects to the processing of his or her personal data, such data shall cease to be processed within ten business days from the submission of the objection request, unless the controller demonstrates compelling legitimate grounds for the processing to prevail over the interests, rights, and freedoms of the data subject, or the processing is necessary for the recognition, exercise, or defense of a right in judicial proceedings.
When the data subject objects to processing for direct marketing purposes, including profiling -to the extent that it is related to such marketing-, his or her personal data shall cease to be processed for those purposes within fifteen business days from the submission of the objection request.
Article 31 — Right to Erasure
The data subject has the right to obtain from the controller the deletion of his or her personal data without undue delay, so that such data ceases to be processed, in the following cases:

• When personal data have been processed unlawfully;
• When personal data are no longer necessary in relation to the purpose for which they were collected or processed;
• When the retention period for personal data has expired;
• When the data subject has revoked the consent on which the processing is based and there is no other legal basis for the processing;
• When the data subject has exercised the right to object in accordance with this law, and there are no other legitimate grounds for the processingto prevail; and
• Personal data must be deleted to comply with a legal obligation.
  Erasure shall not proceed when it could harm the right to information and freedom of expression or duly proven legitimate interests of third parties; when there are prevailing, duly substantiated reasons of public interest for the challenged processing; or when personal data must be retained for the periods provided in the applicable mandatory legal provisions.
  Article 32 — Right to Data Portability
  When personal data are processed electronically or by automated means, the data subject may request that his or her personal data be transferred directly from controller to controller in accordance with technical regulations.
  This right shall not proceed when:
• Its exercise imposes an excessive or unreasonable financial or technical burden, duly demonstrated, on the data controller or data processor;
• It infringes the privacy of another data subject;
• It violates legal obligations that may be imposed on the data controller or data processor; or
• It concerns data that have already been anonymized by the controller.
  Article 33 — Rights Regarding Automated or Semi-Automated Individual Decisions
  The data subject has the right to request a review of decisions based on automated processing of personal data that negatively affect his or her interests or produce legal effects, including decisions aimed at defining personal, professional, consumer, credit score, or personality aspects. In addition, the data subject also has the right to express his or her point of view and to challenge the decision.
  The controller must provide, whenever it is requested, clear, complete, and adequate information on the criteria and procedures used for the automated decision, while respecting the commercial and industrial secrets of the holder of those rights or those the holder is required by law or contract to keep.
  It must adopt appropriate measures to safeguard the rights of the data subject. This right does not eliminate or replace the exercise of other rights that may apply.
  Title IV — Supervisory and Control Authority and Its Powers
  Chapter I — About the Supervisory and Control Authority
  Article 34 — Supervisory and control authority. Legal Nature
  The National Agency for Personal Data Protection is hereby created as a deconcentrated unit within the organizational structure of the Ministry of Information Technology and Communication, with the rank of National Directorate, and shall serve as the supervisory and control authority under this law.
  The National Agency for Personal Data Protection shall enjoy functional autonomy and independence and shall have sufficient powers of decision, action, regulation, supervision, control, sanction, and all other functions necessary for the fulfillment of this law, acting in accordance with the principles established herein.
  The National Agency for Personal Data Protection shall have broad powers to organize itself administratively. Itmust count with the human and material resources necessary to fulfill its functions.
  The organic and administrative structure of the Agency shall be established in the regulatory decree of this law and shall include, at a minimum, a Director General as the highest authority and a deputy official.
  The National Agency for Personal Data Protection shall have broad powers to issue internal regulations necessary to supplement the normative provisions expressly mentioned in this law.
  Article 35 — Functions and Powers of the National Agency for Personal Data Protection
  The National Agency for Personal Data Protection is the supervisory authority under this law and has sufficient powers and attributions of action, decision, resolution, regulation, promotion, investigation, supervision, oversight, control, sanction, and others necessary to ensure its effective compliance, as well as the effective exercise and respect of the right to personal data protection.
  The National Agency for Personal Data Protection shall have the following functions and powers:
• Supervise, control, and evaluate the activities carried out by controllers and processors of personal data;
• Assist and advise individuals who request guidance regarding the scope of this law and the legal means available to defend their rights;
• Issue rules, regulations, guidelines, and guiding criteria to be observed in the development of activities covered by this law;
• Process claims and/or complaints filed, carry out preliminary actions, and, if deemed appropriate, initiate administrative proceedings for alleged non-compliance with this law and its regulatory provisions;
• Carry out technical audits of personal data processing in accordance with this law and regulations;
• Request information relevant to its area of competence from public and private institutions, which must respond within the established period;
• Impose administrative sanctions, after due process, for violations of this law and its regulations;
• Approve binding self-regulatory mechanisms or codes of conduct and to oversee their compliance;;
• Issue standard data protection clauses;
• Prepare and maintain a list regarding the requirement to conduct data protection impact assessments;
• Create certification mechanisms in data protection to provide the established guarantees;
• Assess the adequacy of the recipient country or organization in international data transfers;
• Request information from data protection officers, under the terms of this law and its regulatory provisions;
• Promote cooperation with personal data protection authorities of other countries, having the faculty to sign international administrative and non-normative agreements in the field;
• Issue non-binding technical opinions when, in administrative or judicial proceedings, it is necessary to balance the right of access to public information and the right to personal data protection, where there are doubts about their application;
• Prepare annual management reports on its activities;
• Collaborate with State Bodies and Entities on matters within its competence;
• Exercise the functions and powers required for the proper implementation of the provisions in force under Law No. 6534/2020 “On the Protection of Credit Personal Data,” or any law that replaces it, except for those expressly assigned to the Central Bank of Paraguay and within its competence; and
• Any other functions assigned by this law or its regulatory decree, as well as those necessary to ensure effective implementation and compliance.
  Article 36 — Financial Resources of the National Agency for Personal Data Protection
  The financial resources of the National Agency for Personal Data Protection shall consist of:
• The resources annually allocated in the General Budget of the Nation, which shall be incorporated into the budget of the Ministry of Information and Communication Technologies and must be fully identifiable therein; and
• Income from fines imposed in the exercise of its sanctioning powers established in this law.
• Funds arising from agreements and/or arrangements, granted credits, loans, financing, contributions, donations, bequests, or from any other source, whether of national or international origin, provided that this does not give rise to a conflict of interest
  The income listed in item 2 shall be deposited into a special account of the Ministry of Information and Communication Technologies exclusively designated for the resources of the National Agency for Personal Data Protection.
  In no case shall these resources be used for purposes other than those established in this law and its regulations.
  Chapter II — Management of the National Agency for Personal Data Protection
  Article 37 — Appointment of the Director General of the National Agency for Personal Data Protection
  The National Agency for Personal Data Protection shall be headed by a Director General. The National Directorate shall be assisted by a deputy director to whom functions may be delegated in the form and conditions established in this law and its regulations.
  The Director General and the Deputy shall be appointed by executive decree, from a 3 person shortlist proposed by the Ministry of Information Technologies and Communication, following a public competition.
  The Agency shall exercise its functions with exclusivity, independence, and objectivity, limiting the Ministry of Information Technologies and Communication´s hierarchical authority to matters unrelated to the functions of the exclusive competence of the National Agency for Personal Data Protection, except in cases of administrative proceedings.
  Article 38 — Powers and Duties of the Director General of the National Agency for Personal Data Protection
  The powers and duties of the Director General of the National Agency for Personal Data Protection are:
• Comply and ensure compliance with this law and its regulatory provisions;
• Exercise regulatory authority under the terms provided in this law;
• Direct and organize the structure and functions of the Agency, issuing internal regulations and manuals as necessary;
• Represent the National Agency for Personal Data Protection, with the ability to sign documents and grant general and special powers for judicial and administrative actions on its behalf;
• Appoint, remove, or transfer Agency staff and set office hours and work shifts, in accordance with the relevant regulations;
• Enter into contracts and agreements with national, binational, international, public, or private institutions and bodies, in coordination with the Ministry of Foreign Affairs where appropriate, to fulfill the objectives and purposes of the Agency and this law;
• Order inspections and/or technical or administrative oversight and/or audits of indiviuals who are subject tothis law;
• Order the initiation of administrative proceedings and the application of sanctions when , as a consequence of the proceedings, it is relvant;
• Appear annually before the Senate’s Committee on Science, Technology, Innovation, and Future and before the House of Representatives’ Committee on Science and Technology to report on management and present plans and priorities for the future; and
• Perform any other function related to personal data protection within the framework of this law.
  Article 39 — Requirements for the Position of Director General of the National Agency for Personal Data Protection
  The requirements to hold the positions of Director General and Deputy of the National Agency for Personal Data Protection are:
• Hold a Paraguayan nationality and be at least thirty years of age;
• Hold a University degree;
• Have proven suitability, capacity, and experience in personal data protection, ensuring independence of judgment, efficiency, objectivity, and impartiality in the performance of duties;
• Have a good reputation;
• Not have been convicted of criminal offenses under national laws for the duration of the ruling; nor to have resorted to alternative mechanisms for the termination of criminal proceedings or the suspension of a sentence, for the period during which such suspension of the proceedings or sentence remains in effect ; and
• Not having been disqualified from holding public office while the disqualification remains in effect.
  Article 40 — Term of Office and Removal
  The Director General of the National Agency for Personal Data Protection and the Deputy shall serve a three-year term and may be appointed again for subsequent periods.
  They shall also leave office prior to the expiration of their term in the following circumstances:
  a) Removal due to poor performance of duties. Administrative proceedings to establish grounds for removal shall be conducted in accordance with the law governing public service;
  b) Resignation submitted to the President of the Republic;
  c) Supervening incapacity to perform duties; and
  d) Final conviction for the commission of a criminal offense involving deprivation of liberty. In no case shall the positions of Director General or Deputy of the National Agency for Personal Data Protection be considered positions of trust or subject to free disposal.
  The Director General and the Deputy shall be personally liable for the consequences of their technical, administrative, and financial management, and for any decision adopted in contravention of legal and regulatory provisions.
  Title V — Administrative Protection
  Chapter I — Violations and Their Consequences
  Article 41 — Administrative Protection
  Without prejudice to the constitutional guarantee of habeas data, the data subject may file claims or complaints with the Agency to enforce his or her rights, in the form and conditions provided in this law and its regulations.
  The Agency may initiate proceedings to verify compliance with the provisions of this law at the request of the data subject, his or her legal or conventional representative, a third party with a legitimate interest, or ex officio.
  In the proceedings, the provisions of this law, its regulations, and Law No. 6715/2021 “On Administrative Procedures,” or any law that replaces it, shall apply to the extent relevant. Without prejudice to administrative protection, the data subject may seek judicial protection to obtain compensation for damages suffered as a result of a violation of his or her rights to personal data protection, in accordance with this law.
  Article 42 — Corrective Measures
  In case of non-compliance with the provisions of this law, without prejudice to any administrative sanction imposed, the Agency may issue corrective measures to eliminate, prevent, or stop the effects of violations, as well as to deter recurrences.
  Corrective measures may include, among others:
• Cessation or suspension of processing, under certain conditions or time frames;
• Deletion of data; and
• Imposition of technical, legal, and organizational measures that ensure proper processing of personal data.
  An appeal against corrective measures shall have no suspensive effect on their execution.
  Article 43 — Conduct Constituting Violations
  Any act or omission that entails non-compliance with provisions established in this law, its regulatory provisions, and those issued by the Agency within the scope of its powers for their enforcement, shall be considered a violation.
  Violations are classified as minor and major.
  Administrative actions and measures adopted as a consequence of the conduct mentioned are independent of actions or measures adopted in judicial proceedings when such conduct simultaneously generates civil or criminal liability, and, as applicable, so too are the remedies, penalties, or sentences applied in each case.
  Article 44 — Minor Violations
  The following are considered minor violations and shall be time-barred after one year:
• Collecting personal data for use in a database without providing sufficient and comprehensive information to the data subject, in accordance with the technical specifications established in the implementing regulation of this law;
• Collecting, storing, and transmitting personal data of third parties by insecure mechanisms or those that do not guarantee the security and unalterability of the data;
• Failing to honor the rights of access, rectification, erasure, restriction of processing, or data portability in processing operations where identification of the affected person is not required, when the person has provided additional information enabling identification for the exercise of those rights;
• A processor’s failure to comply with the stipulations imposed in the contract or legal act governing processing or with the controller’s instructions, except where legally obliged to do so under other laws of the Republic of Paraguay and this law, or where necessary to avoid infringement of data protection legislation and prior notice was given to the controller or processor;
• Incomplete, late, or defective notification to the supervisory authority of information related to a personal data security breach as provided in this law;
• Unjustified refusal to grant a data subject access to the personal data recorded in files and databases, in order to verify their quality, collection, storage, and use in accordance with this law;
• The controller’s engagement of a processor that does not offer sufficient guarantees to apply appropriate technical and organizational measures in accordance with this law and its regulations;
• Failure to keep personal data protection policies relevant to the processing of personal data available; and
• Non-compliance with legal or regulatory obligations, provided such obligations have not been categorized as major violations.
  Article 45 — Major Violations
  The following are considered major violations and shall be time-barred after two years:
• Transferring personal data to other people or companies in contravention of the rules established in this law;
• Repeated unjustified refusal to grant a data subject access to his or her personal data recorded in files and databases, to verify their quality, collection, storage, and use in accordance with this law;
• Unjustified refusal to delete or rectify a person’s data when the person has clearly and unequivocally requested it;
• Processing the personal data of a minor without obtaining consent when the minor has the capacity to give it, or without the consent of the holder of parental authority or legal guardianship;
• Failure to demonstrate reasonable efforts to verify the validity of consent given by a minor or by the holder of parental authority, custody, or legal guardianship over the minor;
• Impeding, obstructing, or repeatedly failing to honor the rights of access, rectification, erasure, or portability in processing operations where identification of the affected person is not required, when the person has provided additional information enabling identification for the exercise of those rights;
• Failure to adopt appropriate technical and organizational measures to effectively apply data protection principles by design, as well as failure to implement necessary safeguards in processing;
• Failure to adopt appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific processing purpose are processed;
• Failure to adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing;
• The breach, as a consequence of lack of due diligence, of the technical and organizational measures implemented under this law;
• Failure to comply with the obligation to designate a representative for a controller or processor not established in the Republic of Paraguay, as provided in Article 12 of this law;
• Entrust the processing of data to a third party without prior formalization of a contract or other formally appropriate written legal act, as required by this law;
• The subcontracting of data processors without the prior authorization of the controller or without informing the controller of changes in subcontracting where legally required;
• Failure of the data processor to notify the controller of security breaches of which it becomes aware;
• Failure to notify the supervisory authority of a personal data security breach, as provided in Article 17 of this law;
• Processing personal data without conducting a data protection impact assessment in cases where such assessment is required;
• Processing personal data without prior consultation with the supervisory authority in cases where the law establishes the obligation to carry out such consultation;
• Failure to designate a data protection officer when such appointment is required under this law and its regulation;
• Failure to enable the effective participation of the data protection officer in all matters related to personal data protection, failure to provide due cooperation, or interfering with the performance of his or her duties;
• The use of a false national or international data protection seal or certification, or the use of such seal or certification after its validity has expired;
• Collecting, storing, and transmitting personal data of third parties by insecure mechanisms or those that do not guarantee the security and unalterability of the data;
• Failure to comply with the obligation of notification by controllers or processors regarding rectification or erasure of personal data required by this law;
• Failure to meet the requirements established by this law regarding the validity of consent;
• Omission of the duty to inform the data subject about the processing of his or her personal data, as provided in Article 27 of this law;
• Requiring payment of a fee for the exercise of any of the rights established in Title III, Sole Chapter “Rights of Data Subjects” of this law;
• Collecting, storing, transmitting, or otherwise using, by private natural or legal entity, sensitive data without meeting one of the legal requirements established in the applicable legislation;
• Obtaining personal data from data subjects or third parties by means of deception, violence, or threats;
• Disclosing information recorded in a personal data database where secrecy is legally required;
• Providing a third party with false or altered information contained in a data file, knowingly;
• Transferring, to databases in third countries, personal information of Paraguayan residents or foreigners located in the country, without the consent of the data subjects when consent is required;
• Processing personal data relating to criminal convictions and offenses or related security measures outside the cases permitted under applicable legislation;
• The breach of the principle of confidentiality established in this law;
• Failing to provide the supervisory authority access to personal data, information, premises, equipment, and processing means requested for the exercise of its investigative powers;
• Resisting or obstructing the exercise of the supervisory function by the competent supervisory authority;
• Deliberately reversing an anonymization or pseudonymization procedure to enable re-identification of data subjects;
• Collecting, storing, transmitting, or otherwise using personal data without meeting one of the legal requirements established in this law; and
• Failure to conduct a prior impact assessment before implementing data processing operations that may pose significant risks to the rights of data subjects, under the terms of this law.
  Article 46 — Administrative Sanctions
  Sanctions to be applied by the Agency for proven violations may consist of:
• Warning, indicating the period and manner for adopting corrective measures, where applicable; and
• Fines: from twenty up to two thousand five hundred minimum daily wages for miscellaneous activities not specified in the Republic of Paraguay:
  ○ 2.1. For violations committed in the processing of sensitive data, the fines may be increased up to five thousand minimum daily wages for miscellaneous activities not specified in the Republic of Paraguay.
  ○ 2.2. For violations committed in the processing of sensitive data of children and adolescents, the fines may be increased up to ten thousand minimum daily wages for miscellaneous activities not specified in the Republic of Paraguay.
• Suspension of activities related to the processing of personal data.
  The application of different types of sanctions may be individual or cumulative.
  The Agency is empowered to issue supplementary and/or clarifying rules for this article.
  Article 47 — Criteria for Imposing Administrative Sanctions
  Administrative sanctions shall be determined considering the following criteria:
• The seriousness and nature of the violations and the harm or risk to the legal interests protected by this law;
• The offender’s good faith or the explicit recognition or acceptance by the investigated party of the commission of the violation prior to the imposition of the applicable sanction;
• The degree of responsibility of the offender, as well as intent or negligence in the character of the violation;
• The advantage or economic benefit obtained or sought by the offender by virtue of the violation;
• The offender’s economic situation;
• Recurrence of the conduct;
• The offender’s cooperation in the supervisory authority’s investigative action;
• Repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing harm, aimed at secure and proper data processing;
• Adoption of a policy of good practices or a code of conduct;
• Prompt adoption of corrective measures; and
• Any other criteria the supervisory authority may consider, according to the nature of the case.
  Article 48 — Limitation Period for Enforcement of Sanctions
  The limitation period for the enforcement of sanctions shall be two years from the moment the resolution imposing them becomes final.
  Article 49 — Payment of Fines
  The amount of the fines must be paid within thirty business days from notification.
  The regulation shall establish the consequences of non-compliance, including interest, as well as any other relevant aspects for the effective fulfillment of the imposed sanction.
  Article 50 — Presumed Non-Compliance by Public Institutions
  If the supervisory authority detects presumed non-compliance with the provisions of this law by public institutions, it shall issue a warning and adopt a resolution establishing corrective measures that must be taken to cease or correct the effects of the violation.
  The resolution ordering the implementation of measures shall be notified to the highest authority of the public institution in which the violation occurred and to the affected data subject, if any.
  Without prejudice to the foregoing, the public institution, after analyzing the facts in question, shall take the appropriate measures with respect to the presumed responsible parties, including, without limitation, initiating administrative proceedings to impose disciplinary sanctions in accordance with the procedure established for that purpose.
  Chapter II — Filing a Complaint or Claim
  Article 51 — Claim before the Supervisory Authority
  The data subject or his or her legal representative may file a claim or complaint, free of charge, by any means enabled for that purpose by the supervisory authority, clearly stating the content of the request and the provisions of this law considered to be violated, and proving that the corresponding request was made to the processor or controller responsible for the processing in question, attaching the response if one was given.
  The submission must be made within fifteen business days following the date on which the response to the request is communicated by the controller or the processor, or at any time if the period established for such purpose has expired without a response from the controller or the processor. If a response has been issued, it must be attached to the submission of the claim.
  Article 52 — Resolution of the Supervisory Authority
  Upon receiving a claim or complaint, the supervisory authority may, by reasoned resolution:
  a) Dismiss the claim or complaint filed;
  b) If it considers that the data subject has a valid claim, require the controller or processor to make effective the exercise of the protected rights, and to report in writing on such compliance to the supervisory authority within fifteen business days of doing so; and
  c) If a violation is confirmed, apply the sanctions provided in this law.
  Chapter III — Establishing Violations and Imposing Administrative Sanctions
  Article 53 — Procedure for the Verification of Violations and Application Sanctions
  Violations of the provisions of this law and its regulations must be proven in administrative proceedings.
  Initiation of the proceedings shall be ordered by resolution of the Director General of the Agency and shall contain a complete account of the facts, acts, or omissions imputed to the presumed offender, as well as the appointment of an Investigating Judge from among the staff of the supervisory authority.
  The regulation shall determine the procedure and deadlines to be followed, including the period for the Investigating Judge to present his or her final opinion to the Director General and the period for issuing the corresponding resolution. All other aspects of the procedure shall be governed by Law No. 6715/2021 “On Administrative Procedures,” or any law that replaces it.
  Article 54 — Precautionary Administrative Measures
  Once the sanctioning procedure has begun, the adoption of provisional measures to ensure the effectiveness of the final resolution that may be issued in the proceeding may be ordered by a reasoned resolution.
  Article 55 — Motion for Reconsideration
  A motion for reconsideration may be filed against any non-regulatory resolution or administrative act issued by the Agency and must be submitted to the Director General of the Agency.
  The administrative stage is exhausted with the resolution of the Director General of the Agency for Personal Data Protection. The Ministry of Information and Communication Technologies shall have no competence for processing requests and other procedures related to personal data protection rights or other powers of this Agency.
  Article 56 — Administrative Contentious Action
  The administrative contentious action may be brought before the Court of Accounts within the period established by Law No. 6715/2021 “On Administrative Procedures,” or any law that replaces it.
  The motion for reconsideration and the administrative contentious action shall have suspensive effect when filed against resolutions imposing administrative sanctions, but shall not suspend precautionary administrative measures ordered or corrective measures aimed at preventing harm.
  Title VI — Final and Transitional Provisions
  Article 57 — Entry into Force
  This law shall enter into force twenty-four months after its official publication.
  Article 58 — Assumption of Functions and Powers
  Any reference in Law No. 6534/2020 “On the Protection of Credit Personal Data” to the Secretariat for Consumer and User Defense shall, from the entry into force of this law, be understood as a reference to the National Agency for Personal Data Protection.
  Article 59 — Repeals
  Subsections a) and b) of Article 3, Article 4, subsection b) of Article 20, and subsection x) of Article 21 of Law No. 6534/2020 “On the Protection of Credit Personal Data” are hereby repealed.
  Article 60 — Regulation
  The Executive Branch shall issue the regulation of this law within twenty-four months of its publication in the Official Gazette.
  Article 61 — Communicate to the Executive Branch.
  Having been approved by the Honorable Chamber of Deputies on the fourteenth day of October, two thousand twenty-five, and by the Honorable Chamber of Senators on the fifth day of November, two thousand twenty-five, the bill is hereby enacted in accordance with the provisions of Article 207, subsection 2) of the Constitution.

Sometimes, the simplest moments hold the deepest wisdom. Let your thoughts settle, and clarity will find you. Use this quote space to share something inspirational or reflective, perfectly aligned with the theme of your article.