In September 2020, Brazil passed Lei Geral de Proteção de Dados (LGPD), the country’s national data protection legislation. Brazil is one of the most internet-connected countries in the world. So, a nationwide privacy law to protect its residents and their personal data has been a long time in the making. After many roadblocks, the law went into immediate effect on September 18, 2020.
LGPD is Brazil’s first data privacy law that sets forth a comprehensive framework for regulating the use and processing of all personal data. It imposes data protection obligations on businesses that process the personal data of Brazil’s citizens.
Purpose: The LGPD is Brazil’s first data privacy legislation that aims to protect the personal data of its residents.
Effective date: September 18, 2020
Enforcement agency: Brazilian Data Protection Authority (ANPD)
Violation: 2% of an organization’s annual revenue or up to BRL 50 million
Official text: Lei Geral de Proteção de Dados Pessoais (LGPD)
LGDP is heavily influenced by the EU’s General Data Protection Regulation (GDPR). This blog will cover the most important provisions of LGPD and highlight its similarities and differences with the GDPR.
Who is covered under LGPD?
The LGPD applies to any person or organization collecting the personal data of residents of Brazil. Unlike its predecessors such as the GDPR and CCPA, the LGPD is not limited to businesses of a particular size or turnover. It applies to any organization that:
- Process personal data in Brazil
- Process personal data that is collected in Brazil
- Process personal data of individuals residing in Brazil
- Offer goods or services to consumers in Brazil
That means the law applies even if your business has no physical presence in the country. If your business is not located in Brazil, but you have consumers, business partners, employees, or vendors from Brazil, you should comply with the LGPD.
LGPD gives exemptions only in a few cases, such as when data is collected exclusively for journalistic, artistic and academic purposes, or public safety and national defence.
How does LGPD define personal data?
The LGPD defines personal data as “information regarding an identified or identifiable natural person.” The law does not limit its definition of personal data to a set of identifiers or characteristics nor provides any specific examples for the same. What does this mean? If your business collects any data of an individual, it’s on the safe side to treat it as personal data. Like the GDPR, LGPD can thus take a broad view of what it considers personal data.
Sensitive personal data
LGPD defines sensitive personal data as information regarding racial or ethnic origin, religious belief, political opinion, union membership or religious organization, philosophical or political nature, data relating to health or sexual life, and genetic or biometric data.
LGPD also defines anonymized data as any data related to an individual that cannot be identified. Anonymized data is not considered as personal data, except when the process of anonymization has been reversed or if it can be reversed.
What are the legal bases for processing in LGPD?
Much like the GDPR’s six legal bases, the LGPD lays out ten legal bases or “requirements” for the lawful processing of personal data.
- Consent: You have the consent of the data subject
- Legal obligation: You have to process personal data to comply with a legal or regulatory obligation
- Public policy: You need to process personal data to execute public policies as per laws, contracts, or agreements
- Research: You need to conduct studies for research entities. In this case, you have to ensure that personal data is anonymized
- Contract: You need to process personal data to execute a contract or enter into a contract with the data subject, at their request
- Legal: You need to exercise judicial rights, administrative or arbitration procedures
- Vital interest: You need to process data to protect the life or physical safety of the data subject or a third party
- Health: You need to process personal data to protect data subject’s health, only in case of procedure carried out by health professionals or by health authorities
- Legitimate interest: You have legitimate interests to process personal data and if the data subject’s fundamental rights and freedoms are not compromised
- Credit: You need to process personal data to provide credit protection to the data subject
LGPD draws an important distinction for controllers who process sensitive personal data. Three legal bases cannot be used to process sensitive personal data. These are namely — legitimate interests, protecting credit and contracts with data subjects. Also, there is an additional legal basis for processing sensitive personal data — processing for the prevention of fraud.
What is consent under LGPD?
Valid consent as per LGPD is defined as “free, informed and unequivocal”. LGPD mandates that when consent is used as a legal basis for processing, it should give data subjects meaningful control and choice regarding their personal data.
- Consent should be provided by the data subject in writing or by other means (eg: a cookie consent banner)
- If the consent is given in writing, it should be highlighted separately in the contract
- Consent should also be specific. Generic consent obtained for processing personal data will be considered void
- Consent should be obtained after providing information in a transparent, clear and unequivocal manner
- If the purposes of processing personal data changes after obtaining consent, the controller has to inform the data subject in advance about the changes so that the user may revoke consent
- Businesses should also provide a “free and facilitated procedure” to revoke consent at any time
- To communicate or share personal data with other controllers, a business has to obtain specific consent from the data subject for this purpose
- The controller has the “burden of proof” to show that consent obtained is valid and compliant
How can your website comply with LGPD?
Obtain valid consent
Obtain cookie consent and
Try for free
minimize your legal risk
14-day free trialCancel anytime
- The purposes for processing personal data
- The type and duration you intend to process personal data
- The identity and contact details of your business
- Information about other businesses you share personal data with and the purpose
- Responsibilities of all parties that will process personal data you collect
- Rights data subject rights as provided in LGPD
What are the rights of data subjects in LGPD?
LGPD mandates that every individual has the fundamental rights of freedom, intimacy and privacy. The rights of the data subject as underlined in Article 18 of the LGDP and are:
- Confirm about the processing of personal data
- Access to personal data on request
- Correct personal data that is inaccurate, incomplete, or out-of-date
- Anonymize, erase, or block personal data if it is unnecessary, excessive, or has been processed in violation of the law
- Delete personal data on request
- Transfer personal data to another organization, on request
- Informed about third parties the personal data is shared with
- Refuse consent and be informed of the consequences
- Revoke or withdraw consent to the processing of personal data
What is the penalty for non-compliance with LGPD?
Violations under the LGPD are subject to warnings, fines, suspensions and partial or total ban of data processing.
Unlike the substantial GDPR fines, LGPD fines are less severe. The fines can reach up to 2% of the organization’s revenue in the previous fiscal year or up to $50 million reals (~$10 million) per violation.
- Issue a warning and provide a cure period
- Publicizing the data violation after thorough investigation
- Blocking or deleting processing activities or personal data related to the violation
- Partial or total suspension of databases for up to a six-month period where the data related to the violation cannot be used by the business
- Partial or total prohibition of data processing
Data subjects also can seek civil remedies for violations of the LGPD. If the processing of personal data caused “material, moral, individual or collective damage” to individuals can file a lawsuit for compensation.
What are the other obligations under LGPD?
Data Protection Officer
The LGPD states that any organization that processes personal data has to appoint a Data Protection Officer (DPO). The main responsibility of the DPO is to accept complaints and communications from data subjects, provide explanations and adopt measures. The DPO also has to coordinate with an organization’s employees and contractors regarding practices to be taken for data protection.
International Data Transfer
LGPD limits the transfer of personal data outside Brazilian borders. Under Article 33 of the LGPD, data transfer is prohibited, unless in case of a few exceptions, including:
- The receiving country or organization provides a level of data protection comparable to the LGPD
- The importer is bound by Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or global corporate norms and can demonstrate the same level of data protection as the LGPD
- International legal cooperation between government agencies
- The data subject has given specific consent, with prior information about the international transfer
Data Breach Notifications
In case of a data breach, the controller must provide a data breach notification to the National Data Protection Authority (ANPD) and the data subject in a reasonable time (to be defined later), if the breach is likely to result in risk or harm to data subjects.
The breach notification must contain, at least, the following:
- Description of the nature of the affected personal data
- Information regarding the data subjects involved
- Indication of the technical, security measures used
- The risks related to the incident
- The reasons for the delay in communication, if any
- The data protection measures that were or will be adopted
Children’s data is subject to a heightened level of protection under LGPD. To process children’s data, organizations have to get “specific and highlighted consent” from the parent or guardian.
Children’s personal data can be collected without consent if the data is necessary to contact the parents or the legal representative, and if the data is used only one time and not stored. Under no circumstances, the personal data of children can be transferred to third parties without consent.