Provisions of the LGPD Law
-
Setting the guiding principles for the processing of personal data
-
Providing consumers with a set of rights over their data
-
Rules regarding data breach reporting
-
The law also establishes a Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados = ANPD)
The “Lei Geral de Proteção de Dados” (LGPD), is a long and detailed law that significantly affects everyday business in Brazil. A solid understanding of LGDP is a must for any business with Brazilian clients, customers, partners. The maximum penalty for leaking personal data is R$ 50 million or up to 2 percent of the organization’s annual revenue.
We’ll look at the law a little deeper below. Let’s start:
Who does the LGPD apply to?
The LGPD applies to organizations worldwide that have any connection with people in Brazil. Whether it’s customers, employees, business partners, or contractors. International privacy laws often share the characteristic of including an extraterritoriality element, just like GDPR or CCPA do.
If a company directly or indirectly deals with Personally Identifiable Information (PII) from people outside it, then the control and management of that data must fully comply with the law.
By external persons, we include all stakeholders that a company may have, such as: customers, suppliers, visitors, service providers, leaders, etc. Since every company deals with data from outsiders, it can be said that the requirements of this law cover every company. LGPD is not limited to businesses of a particular size or turnover.
The LGDP will cover you or your organization if it’s:
-
Processing personal data in Brazil, or data that was collected in Brazil
-
Processing the personal data of people in Brazil, or
-
Offering goods or services to Brazilian clients and consumers
Exceptions to the LGPD law:
LGPD does not apply in case when:
-
you carried out processing personal data exclusively for private, non-profit, journalistic, artistic and/or academic purposes
-
the processing of personal data is carried out exclusively for the purpose of public and state security, national defense, or investigation and prosecution of crimes
-
shared with Brazilian data processing agents, is subject to international transfer to a country besides the country of origin, or originates outside of Brazil and is not subject to communication
What are Brazil’s LGPD consumer’s rights?
The LGDP provides nine rights for individuals over their personal data.
The controller protects and facilitates the individual’s personal data rights.
The nine ‘data subject rights’:
-
right of the person to confirm that their personal data is being processed
-
right of access to personal data
-
right to correction of incomplete, incorrect or outdated personal data
-
right to anonymize, block or delete any unnecessary, excessive, or inconsistent personal data
-
the right to ask the data controller to move their personal data to another service or product provider (data portability)
-
right to erasure of their personal data (with exceptions, according to Article 16)
-
right to information about public or private entities with whom their personal data is shared, as well as why it is shared
-
right to provide information about own rights and to refuse to consent to the processing of one’s personal data and the consequences of refusal
-
right to revoke the consent to the processing of their personal data
The European General Data Protection Regulation GDPR inspired the origin of Lei Geral de Proteção de Dados. What the GDPR is to residents of Europe, the LGDP is to residents of Brazil. LGPD is similar to GDPR in many ways, however, there are a few differences.
In the following, we will make a short comparison of these two laws, highlighting the key differences between them.
LGDP vs. GDPR
1. Who does the law apply to?
LGDP: Residents of Brazil
GDPR: Residents of the EU
2. What are the differences in the legal basis for processing?
The LGPD covers some legal bases for processing personal data, which are not covered by GDPR. Among them, we include: credit protection, credit analysis; protection of health; anonymization of personal data (where possible); and exercise of rights in administrative, arbitration, or judicial proceedings.
3. Who must comply?
LGDP: Any organization that processes personal data of Brazilian residents, regardless of its location
GDPR: Any organization that processes personal data of European residents regardless of its location
4. Is a DPO required?
LGDP: required under certain circumstances
GDPR: DPO is mandatory