Brazil’s data protection law, which went into effect in February 2020, created a data protection framework for businesses and organizations that process personal data. LGPD gave rights to millions in Brazil while significantly limiting what organizations can do with their personal data. But what do these regulations mean for Brazil and the rest of the world? What is Brazil’s General Data Protection Law (LGPD)? Lei Geral de Proteção de Dados (LGPD) refers to the Brazilian data privacy law that establishes a framework for processing personal data of Brazil’s residents. It defines how individuals, organizations, and governments should collect, use, and share the personal data of Brazilians, no matter where the data processing entity is located. Now, citizens can easily inquire about what data companies have on them, request it to be deleted, and have the right to be informed about any data breaches. A brief history of Brazil’s General Data Protection Law (LGPD) Brazil’s journey to protect personal data began in August 2018, when the National Congress of Brazil enacted the LGPD, which originated from the European Union’s General Data Protection Regulation (GDPR). Before the LGPD, the protection of digital privacy in Brazil was a fragmented legal landscape, which vaguely defined residents’ rights. So the state authorities came together and created this unified framework, ensuring a comprehensive approach to data protection. The transition period, which was necessary for organizations to align their processes with the law’s requirements, lasted two years, and the LGPD finally took effect on August 15, 2020. With the formation of LGPD, the Brazilian government established the National Data Protection Authority (ANPD), which now manages the enforcement mechanisms and ensures that data processors collect, use, and share Brazilian residents’ data in compliance with the LGPD. The main provisions and requirements of the LGPD What is considered personal data, and how should it be handled? Here’s a breakdown of Brazil’s data protection law. Personal rights. Individuals whose data is being collected and processed have new rights under the LGPD. These include access to their collected personal data, its erasure, and data portability. Data portability means that subjects have the right to access and transfer their personal information elsewhere. Companies must comply with the requests within 15 days. Data breach notification. Under the new law, companies must notify the National Data Authority about personal data breaches. Individuals whose data is affected must also be informed. Similarly to the GDPR, businesses are now obliged to have a data protection officer to oversee information processing. Processing data. The LGPD lays out 10 principles for data processing. These include accountability, non-discrimination, legitimate purpose, transparency, security, and accuracy. It also points out circumstances under which data can be processed, with consent being the first. Brazil’s legal jurisdiction. LGPD applies to companies based in Brazil or serving Brazilian customers. Even if the company is headquartered overseas, it must comply with the data protection law when it comes to the country’s citizens. Data mapping. Organizations must record all data processing activities in a report. Organizations must also do a privacy impact analysis for personal data processing. Penalties. The punishment for non-compliance can amount to up to 2% of the company’s gross revenue in Brazil in the last year or R$50 million per violation, which is roughly US$12.9 million. The law has a few exceptions, including national security, research, journalism, and artistic purposes. Nine rights for individuals under Brazil’s LGPD The LGPD outlines nine rights for data subjects: The right to confirm the processing of personal data. The right to access private data that an institution collects about them. The right to correct incomplete, inaccurate, or outdated personal information. The right to request anonymization, blocking, or deleting unnecessary or excessive data or data processed in violation of the LGPD. The right to transfer their personal data to another data processor. The right to request data deletion in case of non-compliance with the LGPD. The right to know with whom (public or private entities) the data controller has shared their data. The right to information about the possibility of consent denial and the consequences. The right to revoke consent. {SHORTCODES.blogRelatedArticles} Benefits of the LGPD The LGPD is not just another layer of bureaucracy. It encourages trust, enhances consumer rights, and takes businesses to the next level of responsibility when processing user information in Brazil. Besides offering multiple benefits related to legal compliance, it extends far beyond. So, let’s explore what advantages the LGPD brings to the table: Benefits for organizations. LGPD was created to respond to the rising concern about personal data security. However, it brings plenty of other benefits to organizations that manage Brazilians’ data. LGPD helps organizations strengthen their reputation and increase the trust of their customers, employees, and business allies by ensuring their data safety. Moreover, a unified data management system optimizes internal data handling procedures, which decreases the chances of security incidents that may lead to fines and potential lawsuits. Benefits for individuals. The ultimate aim of LGPD is to protect Brazilian residents’ data. It also gives individuals more control over how institutions manage their private information. LGPD allows people to access their data and have it portable among different data processors, delete excessive information online, or correct inaccurate data. This law obligates organizations to get consent from individuals when collecting and processing personal information and to inform them about the reason behind data collection. This means that Brazilians can change their mind about sharing their data and revoke their consent to share data. A transparent data collection and management system may help organizations and customers build trust and mutually beneficial relationships. LGPD vs. GDPR LGPD and GDPR were both created to set a framework for how institutions and organizations must collect, manage, and store personal data of Brazilian and EU residents. Let’s explore the similarities and differences of the two:
Geographical scope
), }, { text: ‘Applies to the data processing of Brazilian residents, no matter where the data processor is based.’, }, { text: ‘Applies to data processing of EU residents, regardless of where the data processor is located.’, }, ], }, { items: [ { text: (
Legal basis for processing
), }, { text: ‘Requires a legal basis to process data. LGPD provides 10 legal bases, such as consent, compliance with regulatory obligations, and protection of data subject’s physical safety.’, }, { text: ‘Requires a legal basis to process data, such as consent, contract, compliance with legal obligations, and protection of vital and public interests.’, }, ], }, { items: [ { text: (
Data subjects’ rights
), }, { text: ‘Access, correction, and deletion of data, data portability, and the right to be informed about data processing.’, }, { text: ‘Access, rectification, erasure (“right to be forgotten”) of data, data portability, and the right to be informed.’, }, ], }, { items: [ { text: (
Data protection officer (DPO)
), }, { text: ‘Requires data controllers to appoint a DPO.’, }, { text: ‘Requires both data controllers and processors to appoint DPOs.’, }, ], }, { items: [ { text: (
Data breach notification
), }, { text: ‘Data processors must notify the National Data Protection Authority (ANPD) and the data subject about data breaches immediately.’, }, { text: ‘Data processors must notify supervisory authorities and data subjects about a data breach within 72 hours if the breach poses a threat to individual rights and freedoms.’, }, ], }, { items: [ { text: (
Fines and penalties
), }, { text: ‘Fines up to 2% of the organization’s revenue, a maximum of 50 million reais per violation.’, }, { text: ‘Fines up to €20 million or 4% of an organization’s global annual revenue, whichever is higher.’, }, ], }, { items: [ { text: (
International data transfers
), }, { text: ‘Allows international data transfers to countries or international organizations that meet specific requirements of LGPD.’, }, { text: ‘Allows data transfers to countries that comply with certain GDPR requirements.’, }, ], }, { items: [ { text: (
Authority
), }, { text: ‘Controlled by the National Data Protection Authority (ANPD).’, }, { text: ‘Each EU member state has its own supervisory authority coordinated by the European Data Protection Board (EDPB).’, }, ], }, ]} />