The Brazilian Data Protection Law (Lei Geral de Proteção de Dados Pessoais, in short: LGPD) is a federal law containing 10 legal bases for the processing of personal data. The law was designed in part as a step to achieve “compliance” with the European GDPR, in order to share data with the EU.
The LGPD’s main objectives are privacy protection, ensuring openness; encouraging progress and development; standards harmonization; legal safety; and promoting market competitiveness.
The Brazilian Data Protection Law brings together 40 existing laws to regulate the processing of personal data of individuals or legal persons.
After several delays, the law entered into force in 2020. A transitional period of 1 year was given for businesses to comply with the law.
Read on to find out if the LGPD also applies to you!
Setting the guiding principles for the processing of personal data
Providing consumers with a set of rights over their data
Rules regarding data breach reporting
The law also establishes a Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados = ANPD)
The “Lei Geral de Proteção de Dados” (LGPD), is a long and detailed law that significantly affects everyday business in Brazil. A solid understanding of LGDP is a must for any business with Brazilian clients, customers, partners. The maximum penalty for leaking personal data is R$ 50 million or up to 2 percent of the organization’s annual revenue.
We’ll look at the law a little deeper below. Let’s start:
The LGPD applies to organizations worldwide that have any connection with people in Brazil. Whether it’s customers, employees, business partners, or contractors. International privacy laws often share the characteristic of including an extraterritoriality element, just like GDPR or CCPA do.
If a company directly or indirectly deals with Personally Identifiable Information (PII) from people outside it, then the control and management of that data must fully comply with the law.
By external persons, we include all stakeholders that a company may have, such as: customers, suppliers, visitors, service providers, leaders, etc. Since every company deals with data from outsiders, it can be said that the requirements of this law cover every company. LGPD is not limited to businesses of a particular size or turnover.
Processing personal data in Brazil, or data that was collected in Brazil
Processing the personal data of people in Brazil, or
Offering goods or services to Brazilian clients and consumers
LGPD does not apply in case when:
you carried out processing personal data exclusively for private, non-profit, journalistic, artistic and/or academic purposes
the processing of personal data is carried out exclusively for the purpose of public and state security, national defense, or investigation and prosecution of crimes
shared with Brazilian data processing agents, is subject to international transfer to a country besides the country of origin, or originates outside of Brazil and is not subject to communication
The LGDP provides nine rights for individuals over their personal data.
The controller protects and facilitates the individual’s personal data rights.
right of the person to confirm that their personal data is being processed
right of access to personal data
right to correction of incomplete, incorrect or outdated personal data
right to anonymize, block or delete any unnecessary, excessive, or inconsistent personal data
the right to ask the data controller to move their personal data to another service or product provider (data portability)
right to erasure of their personal data (with exceptions, according to Article 16)
right to information about public or private entities with whom their personal data is shared, as well as why it is shared
right to provide information about own rights and to refuse to consent to the processing of one’s personal data and the consequences of refusal
right to revoke the consent to the processing of their personal data
The European General Data Protection Regulation GDPR inspired the origin of Lei Geral de Proteção de Dados. What the GDPR is to residents of Europe, the LGDP is to residents of Brazil. LGPD is similar to GDPR in many ways, however, there are a few differences.
In the following, we will make a short comparison of these two laws, highlighting the key differences between them.
LGDP: Residents of Brazil
GDPR: Residents of the EU
The LGPD covers some legal bases for processing personal data, which are not covered by GDPR. Among them, we include: credit protection, credit analysis; protection of health; anonymization of personal data (where possible); and exercise of rights in administrative, arbitration, or judicial proceedings.
LGDP: Any organization that processes personal data of Brazilian residents, regardless of its location
GDPR: Any organization that processes personal data of European residents regardless of its location
LGDP: required under certain circumstances
GDPR: DPO is mandatory
LGPD: The greater of 2% of annual revenues or R51 million
GDPR: Up to 4% of annual revenue or up to 20 million euros for violation
It is characteristic of Brazil that there is no real authority to whom you should report an incident for data breach. Instead, investigations, fines and other punitive measures are initiated by Brazilian agencies that monitor the rights of data subjects. Such is the case with the Ministry of Public Affairs.
The deadline for reporting the incident is specified as a “reasonable time”, unlike the GDPR, where the deadline is set at 72 hours.
YES! If:
Your organization operates in Brazil
Your organization operates anywhere in the world, but processes the data of any individual in Brazil
The degree of application depends on the nature of your business.
Today, the LGDP is an effective law which prevents the misuse of personal data by regulating how businesses and organizations can collect, use and handle personal data. It increases accountability by supplementing or replacing existing federal sector privacy laws. LGDP also enables the creation of a Data Protection Authority.
It’s of huge importance for you to evaluate the processing of personal data and determine whether the requirements of the LGPD apply to you.Then consult with a legal expert or a trustworthy Data Compliance Service, who will determine the extent of applicability to your business and provide guidance on the specific requirements of the LGPD that apply specifically to your organization!
Andreas Springer _Actonic_
Head of Marketing
Actonic GmbH
Germany
2 accepted answers
0 comments