• Regulations

Complete Guide to LGPD: Brazil’s Data Privacy Law

read

Rick Buck Chief Privacy Officer

Introduction

The Brazilian Lei Geral de Proteção de Dados (LGPD) was first introduced on June 13, 2012 and went into effect on September 18. 2020. The administrative sanction provisions of the LGPD went into effect on August 1, 2021.

The LGPD is the first comprehensive data privacy law in Brazil and was clearly inspired by the GDPR. While many similarities exist between the LGPD and GDPR, there are notable differences mostly around the definition of the data in scope, the extraterritoriality, the data protection officer requirements, or the consumer privacy rights requests (DSARs).

See how LGPD compares to CCPA, CPRA, GDPR and other global privacy frameworks. Check out our Interactive Privacy Law Table.

Learn More

Official text

Click here to access the full official text of the LGPD.

Effective Date

The LGPD went into effect on August 1, 2021.

Applicability

This data privacy regulation applies to any processing operation carried out, regardless of the location of the business, if any of the following apply:

  • The processing is carried out within Brazil;
  • The purpose of processing is to offer or provide goods or services to individuals located within Brazil; or
  • The personal data processed is collected in Brazil.

Covered Personal Information

Under the LGPD, “Personal data” means “information regarding an identified or identifiable natural person.”

Sensitive Data

Under the LGPD, the processing of sensitive personal data is restricted to two situations per Article 11.

First, when the data subject has given his/her specific consent for specific purposes.

Second, in the absence of consent, when the processing is indispensable for certain specified purposes (e.g., compliance with a legal obligation, protecting life or physical safety, and fraud prevention).

The law defines “sensitive personal data” as “personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.”

Anonymous, De-identified, Pseudonymous, or Aggregated Data

Under this privacy regulation, businesses must comply with LGPD regulation regardless of the data type.

Children

In general, Article 14 of the LGPD requires parental consent to process children and adolescents’ personal data. The requirements of Article 14 are similar to those in the Children’s Online Privacy Protection Act.

Privacy Notice

Under the LGPD, controllers are required to notify data subjects of the following:

  1. The specific purposes of processing,
  2. The type and duration of processing,
  3. The controller’s identity,
  4. The controller’s contact details,
  5. Information regarding any sharing activities with other controllers and the purpose of sharing,
  6. The responsibilities of the agents carrying out the processing, and
  7. The data subject rights under the LGPD,
  8. The LGPD does not specify that this must be provided before the collection of personal data. Still, these notice disclosures likely should be included within your organization’s privacy policy if within the scope of the LGPD.

Consumer Rights

Article 9 of the LGPD provides data subjects with the right to receive notice of:

  1. The specific purposes of the processing,
  2. The type and duration of the processing,
  3. The controller’s identity and contact information,
  4. Information regarding the shared use of the data by the controller and the purpose,
  5. Responsibilities of the agents that will carry out the processing, and
  6. An explanation of the data subject rights.

Article 18 allows data subjects to make a request to obtain:

  1. Confirmation of the existence of processing,
  2. Correction of incomplete, inaccurate, or out-of-date data,
  3. Anonymization, blocking, or deletion of unnecessary or excessive data or data processed in non-compliance with the provisions of LPGD,
  4. Data portability,
  5. Deletion of personal data processed with the data subject’s consent (subject to certain exceptions),
  6. Information about public and private entities with which the controller has shared data,
  7. Information about the possibility of denying consent and the consequences of such denial,
  8. Revocation of consent.

Contracting

Unlike the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) in the EU, the LGPD does not expressly require organizations (both as controllers or processors) to execute contracts when there is shared use of personal data with third parties, including the vendors. Sector-specific laws, such as those of the financial sector, may require the execution of a contract with vendors.

Data Protection Assessments

This regulation requires organizations to appoint a Data Protection Officer, conduct data privacy impact reports, maintain records of processing activities, comply with specific consent requirements, and implement security, technical, and administrative measures to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.

Enforcement

The LGPD is enforced by Brazilian Data Protection Authority, the ANPD.

Private Right of Action

The LGPD has a provision for private rights of action.

Penalties and Damages

The violations of the LGPD may result in fines of up to 2% of the organization’s global revenue for the prior year up to a total of 50 million reais (or approximately USD 9.3 million) per violation.

Cure Period

The LGPD does not provide a cure period.

Exemptions

This data privacy law does exempt the processing of personal data by natural persons exclusively for private and non-economic purposes, journalistic and artistic purposes, academic purposes (subject to certain exemptions), or processing that is done exclusively for public safety, national defense, state security, or activities of investigation and prosecution of criminal offenses (which processing is subject to separate obligations).

Data Breach

The LGPD requires organizations to report data breaches to the local data protection authority. The text does not give any firm deadline it merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects…in a reasonable time period, as defined by the national authority.”

WireWheel offers a complete solution to help manage the requirements of LGPD, including a solution to fulfill employee DSARs, including an integration with Microsoft Priva and connectors to over 500 plus systems including HR systems such as Workday and Oracle. Contact us to learn more.

Rick Buck is the WireWheel Chief Privacy Officer and acts as a Privacy Advisor to WireWheel clients, helping them with the implementation and optimization of their privacy programs. Over the past 20 years, Rick has…