Zscaler and Brazil Data Protection Laws

Introduction

Since its enactment in September 2020, the General Data Protection Law (LGPD) has represented a historic milestone in the processing of personal data in Brazil, both in physical media and on digital platforms, for public and private institutions. 

Protection of personal data is also included in the list of fundamental rights and guarantees (art. 5, LXXIX) since the enactment of Constitutional Amendment n. 115/2022. 

On this page, you’ll find key provisions and information about how Zscaler complies with the LGPD.

What is Personal Data under the LGPD?

The LGPD defines personal data broadly, encompassing any information related to an identified or identifiable natural person, which includes but is not limited to names, online identifiers, and geolocation data.

Zscaler ensures compliance with the LGPD’s definition by considering any data relating to an identified or identifiable natural person, including those used to create a behavioural profile of an identified natural person in alignment with Articles 5º, I, and 12, §2º of the LGPD.

How does Zscaler comply with the LGPD?

The LGPD establishes principles for lawful processing, including purpose limitation, adequacy, necessity, free access, quality of data, transparency, security, prevention, nondiscrimination, and accountability according to Article 6º of the LGPD.

Legal basis: Zscaler ensures compliance with the LGPD by processing data according to the specific applicable legal basis, including by requiring its customers to obtain all necessary consents and only processing personal data for the purpose of providing its services and products to the customer.

Purpose limitation: Zscaler ensures that personal data is processed for legitimate, specific, and explicit purposes, with no possibility of subsequent processing that is incompatible with these purposes. For that, Zscaler identifies and documents its purposes for collecting personal data and explains those purposes to its customers.

Adequacy and necessity: Zscaler only processes the personal data necessary to provide our products and services. This means Zscaler only processes data that is relevant, proportional, and non-excessive in relation to the purposes of the data processing.

Free access and quality of data: Zscaler assists its customers in fulfilling their obligations to provide right of access, right to rectify, and all other rights listed under Article 18 of the LGPD.

Transparency: Zscaler makes its privacy-related policies readily available on Zscaler websites and strives to make these policies clear, precise, and easily accessible to guarantee transparency about the processing of personal data.

Security, prevention, and nondiscrimination: Zscaler has developed and implemented security policies to protect all personal information against loss, theft, or any unauthorised access, disclosure, copying, use, or modification, considering the sensitivity of the information and other factors. Zscaler reviews its security safeguards regularly to ensure they are up to date and addresses any vulnerabilities through regular security audits and/or testing. Further, Zscaler ensures that its employees are aware of the importance of maintaining the security and confidentiality of personal information, and Zscaler conducts regular staff training on security safeguards.

International transfers: Zscaler satisfies the international transfer requirements of the LGPD by the commitments Zscaler makes to protect personal data in its End User Subscription Agreement and Data Protection Agreement. Zscaler will monitor and comply with any country-specific restrictions that may be imposed by the National Authority of Data Protection (ANPD), such as the standard contractual clauses in discussion, which are like the Standard Contractual Clauses under the GDPR.

Breach notification: In the event of a security breach involving a customer’s personal information, Zscaler will promptly notify the customer.

Accountability: Zscaler Legal, Compliance, and CISO teams work together to ensure Zscaler´s compliance with data protection laws, including LGPD. Zscaler employees are regularly trained to comply with applicable data protection requirements.

Zscaler will carefully monitor developments of the LGPD to ensure Zscaler remains compliant with Brazil’s data protection requirements.