LGPD: A Guide to Brazil’s General Data Protection Law

Posted in Guide Posted on
LGPD: A Guide to Brazil’s General Data Protection Law

Have you ever wondered how your data protection works in an increasingly digital world?

The Brazilian General Data Protection Law (LGPD), enacted in August 2018, addresses this critical concern by establishing strong guidelines for collecting, using, and storing personal data. 

Inspired by the European Union’s GDPR, the LGPD aims to empower individuals with greater control over their personal information while holding organizations accountable for their data practices. 

As businesses and consumers navigate the complexities of data privacy, the LGPD serves as a pivotal framework that safeguards privacy rights and fosters trust in the digital landscape. 

In this article, we will learn how this law will impact your interactions with businesses and your customers’ data.

Table Of Contents

What is the LGPD Law?

The General Data Protection Law (LGPD) is a federal law in Brazil that consolidates forty separate regulations governing the processing of personal data.

The law was passed on September 18, 2020, and became effective retroactively on August 16, 2020.

Penalties came into effect on August 1, 2021; however, on September 18, 2020, data subjects and public authorities could begin to assert their rights.

The Brazil data protection law consists of 65 articles organized into ten chapters. Article 2 enumerates seven fundamental principles of personal data protection.

  • Respect for privacy
  • Informational self-determination
  • Freedom of expression, information, communication, and opinion
  • Inviolability of intimacy, honor, and image
  • Economic and technological development and innovation
  • Free enterprise, free competition, and consumer protection
  • Human rights, free development of personality, dignity, and exercise of citizenship by individuals

Key Definitions and Terms under LGPD

Under Brazilian data protection law, the following are the key definitions and Terms widely used concerning law.

  • Consent: The data subject’s free, clear-cut expression of agreement to using their personal information for the specified purpose.
  • Controller: The natural person or public or private legal body deciding how to process personal data.
  • Data Subject: The data subject is a natural person whose personal information is being processed.
  • Personal data: Details about a natural person that someone can recognize or identify.
  • Processor: A public or private natural person or legal organization that handles personal data on behalf of a controller.
  • Personal data processes: Include collection, receipt, production, classification, access, replication, use, transmission, distribution, storage, filing, deletion, evaluation, or control of the information, as well as communication, transfer, dissemination, extraction, or modification.
  • Sensitive data: Information on an individual’s identity, such as racial or ethnic origin, political, religious, or philosophical views, trade union membership, membership in political or religious organizations, genetic information, and biometric information.

To Whom Does the LGPD Law Apply? 

As per Article 3, the LGPD applies to any data processing activities that are either:

The LGPD applies to data processing in Brazil to provide goods and services to individuals in Brazil or process personal data collected in Brazil.

This includes data processing by any individual or public or private legal entity (commonly a business or organization). 

The organization conducting the data processing doesn’t require a physical presence or headquarters in Brazil. This aspect of extraterritoriality is similar to many international privacy laws.

What are the Rights Under the Brazilian Data Privacy Law (LGPD)?

An individual whose data is processed under this law has the right to the following, as specified in Article 18:

  • Verify if their personal information is being processed.
  • Access their personal information.
  • Rectify incomplete, inaccurate, or out-of-date information.
  • Have unnecessary or excessive information anonymized, blocked, or deleted.
  • Request to transfer their personal information to another service or product provider (data portability).
  • Delete their personal information, with exceptions as listed in Article 16.
  • Receive information about public or private entities with which their personal information has been shared.
  • Receive information about their right to refuse consent to processing their data and its consequences.

Who Needs to Comply With The LGPD Law

Unlike the CCPA, the LGPD does not consider a company’s size or revenue. Instead, it concentrates on an organization’s data. 

Any entity that carries out the following duties is required by Article 3 of the LGPD to abide by the law:

  • Handling data within Brazil’s borders,
  • Processing personal information of people who are on Brazilian soil. It doesn’t matter where the data operator is located.
  • Processing information that has been gathered on Brazilian soil.

How to Comply With Brazilian Data Protection Law (LGPD)?

Companies should take the following complete actions to comply with the Brazilian privacy law:

  • Recognize Applicability: Determine whether your company is covered by the LGPD, which affects any organization that handles personal data in Brazil.
  • Take a Data Inventory: List all the personal information gathered, processed, and kept in one place. Include information on the sources, uses, and data movement inside and outside your company.
  • Determine Legal Bases: Article 7 of the LGPD states the legal justifications for processing personal data, such as consent or contractual necessity.
  • Make Risk Assessments: Determine weak points and take precautions to lessen the likelihood of data breaches.
  • Put Security Measures in Place: Implement organizational and technical safeguards to prevent unauthorized access to or personal data breaches. Access controls, encryption, and frequent security audits are a few examples.
  • Maintain Records of Processing Activities: To demonstrate compliance, keep detailed records of all data processing activities, including purposes, data categories, and retention periods.
  • Review Third-Party Contracts: Evaluate contracts with third-party vendors to ensure they comply with the LGPD. Include data protection clauses that outline responsibilities and liabilities.
  • Prepare for Data Breaches: As the LGPD requires, develop a data breach response plan that includes notification procedures for affected individuals.

To comply with LGPD, we recommend you use the WP Legal Pages Compliance Platform, which will give you access to the WP Legal Pages plugin and WP Cookie Consent. Which will help you create legal documents and cookie content for your website.

Legal Pages banner

The WP Legal Pages plugin has 130+ ready-to-use templates and can help you quickly create and edit your website’s policy pages.

WP Cookie Consent is a consent management tool that helps you get explicit user consent

Penalties and Fines for Non-compliance with LGPD Act 

The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, LGPD) was passed to safeguard personal information and guarantee people’s privacy. 

Non-compliance with this law can lead to severe penalties and fines aimed at enforcing accountability among organizations. Here’s a detailed breakdown:

1. Fines 

  • Percentage of Revenue:  In Brazil, fines for organizations from the preceding fiscal year may amount to as much as 2% of their gross revenue. The entire amount of money the nation makes is used to compute this proportion.
  • Cap on Fines: 50 million Brazilian Reais is the maximum fine that can be assessed for a single infraction, regardless of the percentage. This cap seeks to strike a balance between enterprises’ financial survival and the application of the law.
  • Multiple Violations: An organization may incur cumulative fines for multiple violations, which could have a significant negative financial impact.

2. Cautions

  • First Reaction: The Brazilian Data Protection Authority can issue a warning for less severe infractions. This warning informs the company that it is not in compliance.
  • Rectification Period: The warning usually specifies a deadline for the organization to address and fix the problems found. Failure to comply within this time frame may result in more severe penalties.

3. Suspension of Data Processing

  • Temporary Suspension of Data Processing: The Brazilian Data Protection Authority can temporarily stop an organization from processing personal data. This stoppage may be entire, impacting all data processing processes, or partial, affecting only some data processing activities.
  • Conditions for Suspension: This measure is typically implemented when there is a substantial risk to the rights of data subjects or when the entity consistently disregards the LGPD.

4. Prohibition of Data Processing

  • Total Prohibition: The Brazilian Data Protection Authority can completely forbid an entity from processing personal data in situations of severe or persistent infractions. This restriction may be in place for a short while or forever.
  • Impact on Operations: If data processing is essential to the organization’s business model, such a limitation might seriously impair its ability to conduct business.

5. Public Disclosure of Infractions

  • Measures of Transparency: The ANPD may make information about the offense, such as the name of the offending entity and the specifics of the infraction, available to the public.
  • Reputational Damage: Publicizing information can damage a company’s reputation, erode client confidence, and possibly cost the company business.

6.  Compensation for Damages

  • Liability for Damages: Companies may be required to reimburse people for losses due to violating the LGPD. This covers both tangible and intangible losses.
  • Legal Action: Affected parties may file a lawsuit or pursue other financial penalties against companies that violate their data security policies.

The LGPD’s fines and sanctions are intended to ensure that businesses take their obligations regarding personal data seriously. 

FAQ 

What is LGPD Law?

Lei Geral de Proteção de Dados, or LGPD, is a data protection law in Brazil. This law protects individuals’ fundamental privacy rights and ensures that companies and organizations handle their data responsibly and transparently. 

What is the LGPD’s effective date?

The LGPD data protection law was passed on 8 September 2020 but became effective on 16 August, although the penalties for noncompliance started on 1 August 2021.

To Whom does the Brazilian LGPD law apply?

Brazilian data protection law LGPD applies to individuals or any organization that processes personal data in Brazil. It also applies to any business that handles data of Brazilian citizens, whether they are based in Brazil or abroad.

What are the fines for violations of Brazilian LGPD law?

Brazilian data protection authority has set up a few laws that violate Brazilian privacy laws. Fines up to 2% of the company’s revenue and additional penalties include suspension of Data processing activities and public disclosure of the infraction.

Conclusion 

The Brazilian General Data Protection Law (LGPD) aims to ensure the privacy and protection of Brazilian citizens’ data. 

LGPD requires strong data protection measures for companies, including obtaining the explicit consent of data subjects, being open and honest about data collection and use, and ensuring the security and integrity of personal data.

We recommend using the WP Legal Pages compliance platform to comply with Brazilian data protection and LGPD law. The platform comes with cookie protection and legal templates for your website under one platform. 

If you liked this article, you can also consider reading:

Do you want to design a beautiful cookie consent banner or a detailed privacy policy for your website? Grab the WP Legal Pages Compliance Platform now!