Brazil General Data Protection Law

Law No. 13,709/2018, as amended by Law No. 13,853/2019 (Lei Geral de Proteção de Dados)

Highlights

Applicability:

Brazil Law applies to Controllers and Operators where:

• The processing of Personal Data takes place in Brazil;
• The processing of Personal Data occurs when supplying goods or services to individuals in Brazil; or
• The collection of Personal Data occurs in Brazil, regardless of where Processing occurs and regardless of the nationality of the individual whose data is collected.

Among other exclusions, the LGPD does not apply to the Processing of Personal Data:

• Carried out by natural persons exclusively for private and non-economic purposes;
• Carried out for the sole purpose of journalistic, artistic, or academic purposes;
• Carried out for the exclusive purpose of public safety, national defense, state security, or to investigate and prosecute criminal offences; or
• That originated outside Brazil and not being the object of communication, shared use of data with Brazilian data processing agents, or object of international data transfer with a country other than the country of origin, provided that the country of origin provides a degree of protection appropriate to the LGPD.

Covered Entity Obligations:

• Processing of Personal Data must comply with data processing principles of purpose, adequacy, necessity and limitation, free access, quality of data, transparency, security, prevention, non-discrimination, and accountability;
• Processing of Personal Data must have a lawful basis under the LGPD;
• Provide an easy to access privacy notice to inform Data Subjects about the Processing of Personal Data as required by the LGPD;
• Limit Processing of Sensitive Data to permitted lawful bases under the LGPD;
• Keep a record of Personal Data Processing operations, especially when based on legitimate interest;
• Perform a privacy impact report on protection of Personal Data upon order by the ANPD;
• Adopt security, technical, and administrative measures to protect Personal Data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or unlawful treatment;
• Formulate practices and governance for compliance with the LGPD;
• Comply with Data Subject rights;
• Conduct cross-border transfers of Personal Data only in accordance with LGPD’s permitted bases; and
• Report to the ANPD and data subjects of the occurrence of a security incident that may entail risk or damage to Data Subjects.
• Appoint a data protection officer for the Processing of Personal Data.

Consumer Rights:

Under the LGPD, Data Subjects have the following rights:

• Right to information about the specific purpose of Processing, form and duration of the Processing, identity and contact information of the Controller, information about the shared use of Personal Data, responsibilities of the Controller and Operator who will carry out the Processing, and rights of the Data Subject;
• Right to confirmation of Processing of Personal Data and access to Personal Data in a simplified format immediately, free of charge, or through a clear and complete statement within 15 days of request;
• Right to delete certain Personal Data, subject to certain exceptions;
• Right to correct incomplete, inaccurate, or outdated Personal Data;
• Right to anonymization, blocking, or deletion of Personal Data that is unnecessary, excessive, or Processed in violation of the LGPD;
• Portability of Personal Data to another service or product provider;
• Right to revoke consent at any time;
• Right to information about the public and private entities with which the Controller has shared Personal Data;
• Right to information about the possibility of not providing consent and consequences of that refusal; and
• Right to petition the processing of Personal Data against the Controller before the national authority.

More Details

Definitions:

• Controller: A person who is responsible for decisions regarding the Processing of Personal Data.
• Operator: A person that carries out the Processing of Personal Data on behalf of the Controller.
• Personal Data: Information related to an identified or identifiable natural person. Personal Data does not apply to anonymized data.
• Processing: Any operation carried out with Personal Data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.
• Sensitive Personal Data: Personal Data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical, or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person.

Penalties:

Violations of the LGPD can lead to the following administrative sanctions by the National Data Protection Authority (ANPD):

• A warning with a deadline for the adoption of corrective measures;
• A fine of up to 2% of the turnover of the legal entity in its last fiscal year, excluding taxes, limited to fifty million reais per infraction;
• Public disclosure of the infraction;
• Blocking of Personal Data until Processing is brought into compliance with the LGPD;
• Deletion of Personal Data;
• Suspension of the Personal Data Processing for six months; and
• Partial or total prohibition of the exercise of activities related to Processing of Personal Data.

Private Action:

Yes

Associated Regulations:

• Brazilian Civil Rights Framework for the Internet Law (Law No. 12,965/2014)

Effective Date:

September 18, 2020