Complete Guide to LGPD: Brazil’s Data Privacy Law
The Brazilian Lei Geral de Proteção de Dados (LGPD) was first introduced on June 13, 2012 and went into effect on September 18. 2020. The administrative sanction provisions of the LGPD went into effect on August 1, 2021.
The LGPD is the first comprehensive data privacy law in Brazil and was clearly inspired by the GDPR. While many similarities exist between the LGPD and GDPR, there are notable differences mostly around the definition of the data in scope, the extraterritoriality, the data protection officer requirements, or the consumer privacy rights requests (DSARs).
Click here to access the full official text of the LGPD.
The LGPD went into effect on August 1, 2021.
This data privacy regulation applies to any processing operation carried out, regardless of the location of the business, if any of the following apply:
- The processing is carried out within Brazil;
- The purpose of processing is to offer or provide goods or services to individuals located within Brazil; or
- The personal data processed is collected in Brazil.
Covered Personal Information
Under the LGPD, “Personal data” means “information regarding an identified or identifiable natural person.”
Under the LGPD, the processing of sensitive personal data is restricted to two situations per Article 11.
First, when the data subject has given his/her specific consent for specific purposes.
Second, in the absence of consent, when the processing is indispensable for certain specified purposes (e.g., compliance with a legal obligation, protecting life or physical safety, and fraud prevention).
The law defines “sensitive personal data” as “personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.”
Anonymous, De-identified, Pseudonymous, or Aggregated Data
Under this privacy regulation, businesses must comply with LGPD regulation regardless of the data type.
In general, Article 14 of the LGPD requires parental consent to process children and adolescents’ personal data. The requirements of Article 14 are similar to those in the Children’s Online Privacy Protection Act.
Under the LGPD, controllers are required to notify data subjects of the following:
- The specific purposes of processing,
- The type and duration of processing,
- The controller’s identity,
- The controller’s contact details,
- Information regarding any sharing activities with other controllers and the purpose of sharing,
- The responsibilities of the agents carrying out the processing, and
- The data subject rights under the LGPD,
Article 9 of the LGPD provides data subjects with the right to receive notice of:
- The specific purposes of the processing,
- The type and duration of the processing,
- The controller’s identity and contact information,
- Information regarding the shared use of the data by the controller and the purpose,
- Responsibilities of the agents that will carry out the processing, and
- An explanation of the data subject rights.
Article 18 allows data subjects to make a request to obtain:
- Confirmation of the existence of processing,
- Correction of incomplete, inaccurate, or out-of-date data,
- Anonymization, blocking, or deletion of unnecessary or excessive data or data processed in non-compliance with the provisions of LPGD,
- Data portability,
- Deletion of personal data processed with the data subject’s consent (subject to certain exceptions),
- Information about public and private entities with which the controller has shared data,
- Information about the possibility of denying consent and the consequences of such denial,
- Revocation of consent.
Unlike the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) in the EU, the LGPD does not expressly require organizations (both as controllers or processors) to execute contracts when there is shared use of personal data with third parties, including the vendors. Sector-specific laws, such as those of the financial sector, may require the execution of a contract with vendors.
Data Protection Assessments
This regulation requires organizations to appoint a Data Protection Officer, conduct data privacy impact reports, maintain records of processing activities, comply with specific consent requirements, and implement security, technical, and administrative measures to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.
The LGPD is enforced by Brazilian Data Protection Authority, the ANPD.
Private Right of Action
The LGPD has a provision for private rights of action.
Penalties and Damages
The violations of the LGPD may result in fines of up to 2% of the organization’s global revenue for the prior year up to a total of 50 million reais (or approximately USD 9.3 million) per violation.
The LGPD does not provide a cure period.
This data privacy law does exempt the processing of personal data by natural persons exclusively for private and non-economic purposes, journalistic and artistic purposes, academic purposes (subject to certain exemptions), or processing that is done exclusively for public safety, national defense, state security, or activities of investigation and prosecution of criminal offenses (which processing is subject to separate obligations).
The LGPD requires organizations to report data breaches to the local data protection authority. The text does not give any firm deadline it merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects…in a reasonable time period, as defined by the national authority.”