Brazil’s General Data Protection Law (LGPD)
The Lei Geral de Proteção de Dados or General Data Protection Law (LGPD), is Brazil’s data protection regulation passed in 2018 and entered into effect on 18 September 2020. The LGPD covers the activities of data controllers and processors regarding the collection, use, storing and sharing of personal data belonging to data subjects residing in Brazil, of data collected and/or processed in Brazil or of data whose processing purpose is to offer or provide goods or services in Brazil.
In LGPD terms, any information related to an identified or identifiable person is considered personal data. Sensitive data is personal data related to “racial or ethnic origin, religious conviction, political opinion, union affiliation or religious, philosophical or political organization, health or sexual life data, genetic or biometric data, when linked to a natural person.”
Opt-in / Opt-out
Similar to the GDPR, the LGPD offers data subjects the option to opt-in making consent for collection and processing of data, mandatory in most situations. The model is applicable to personal data (i.e. names, address, etc.,) as well as to granular data such as the one collected via website/app cookies. Opting out gives data subjects the right to withdraw their consent for the processing of data.
LGPD Chapters
The Brazilian legal framework for data protection contains 10 chapters and a total of 65 articles which set out the rights of the data subjects and the conditions under which data can be collected, processed, stored, and shared. Along with the data subjects’ rights to their data, the law specifies the obligations of the data controllers, data processors as well as the exceptions to the law.
Chapter 1 – Preliminary Provisions
Chapter 2 - Processing of Personal Data
Chapter 3– Data Subject Rights
Chapter 4 – Processing Activities by the Public Service
Chapter 5 – International Data Transfer
Chapter 6 – Personal Data Processing Agents
Chapter 7– Safety and Good Practice
Chapter 8 – Supervision
Chapter 9 – National Data Protection Authority (ANPD) and National Data Protection Council and Privacy
Chapter 10 – Final and Transitional Provisions
While the complexity of the law can be daunting for most organizations, it is fundamental to consider that data can be processed should it meet the following data processing principles: purpose, adequacy, need, free access, data quality, transparency, security, prevention, non-discrimination, responsibility and accountability. Fairly new but already having a sound foundation, the LGPD urges organization to prioritize compliance while boosting business growth. Failure to comply with the law are described in Article 52 of the LGPD and they include warnings, finsed of up to 2% of sales revenue, deletion of the personal data to which the infringement refers, partial or total prohibition of activities related to data processing, etc.,