The Ultimate Guide to GDPL: Brazil’s Data Protection Law

The Ultimate Guide to GDPL: Brazil’s Data Protection Law

Brazil has recently joined the race to protect the data privacy of its citizens from the increasing rate of the data breach and a shocking number of website hacks that made privacy law a necessity for all the advanced countries in the world. This article is a brief summary of Brazil’s GDPL (General Data Protection) Law as a guide for your firm to start working on compliance. We will keep you updated on the new changes in the law as soon as it takes effect officially.

What is GDPL? 

General Data Protection Law or GDPL, Law No 13,709/2018,  is Brazilian privacy law. It is Brazil’s first comprehensive general law that addresses personal data protection and privacy of citizens. It imposes some limitations, obligations and requirements on the businesses organizations operating in Brazil, irrespective of their geographical presence and any commercial website owner. 


Most importantly, it mandates all the natural persons or legal entities, public or private, dealing with the personal data of the residents of Brazil, to take the consent of the data subjects before collecting their personal information. No matter whether the means of collection is digital or physical. 

The law defines personal data as any information that belongs to an identified or identifiable natural person. 

Personal data is considered sensitive if it relates to –

  • Ethnicity or racism
  • Religious or political opinion
  • Membership of any religious or political organization 
  • Biometric or genetic information  
  • Trade Union  

Here are the major principles that govern GDPL – 

  • Respect for the privacy of the residents of Brazil 
  • Freedom of expression 
  • Self-determination in relation to information 
  • Economical development and technological advancement
  • Consumer protection 
  • Freedom of entrepreneurship 

Get WordPress Cookie Consent Plugin For GDPR & CCCPA

When will GDPL come into force? 

The first draft of the GDPL (General Data Protection Law) of Brazil was published on 15th August 2018 in the official gazette. It was supposed to be implemented immediately. The Brazilian residents, business firms, cyber professionals, and even the non-profit organizations were quite eagerly waiting for this new regulation, as it was all set to be enacted in 2014, alongside the Brazilian Civil Framework of the Internet – BCFI and a new Copyrights Act, to upgrade the Brazilian legislature to match the requirements of the 21st century.

However, things did not proceed in an anticipated order. The legal process for approval and implementation of these new laws did not develop as they were expected. There were some contradictions between them. It took some time to resolve the issue. 

The commencement was supposed to take place in August 2020. But, due to the outbreak of  COVID 19 pandemic, it has been further postponed to August 2021. The law will come into effect after the Brazilian Senate approves the bill and the president passes it. But, as the situation is quite uncertain, it is difficult to say when it will actually come into force. 

Weverton Rocha, the Brazilian Senator, has made a public comment saying the law is the need of the time but due to the current scenario, the implementation is being delayed – 

“GDPL is a subject that has been maturing during many years and we are falling behind in the world because we are not prepared. More than ever, we need GDPL”.  

To whom does GDPL apply?

It applies to any natural person or legal entity that processes the personal data of the residents of Brazil if – 

  • The data subjects are located in Brazil 
  • The data is collected and processed in Brazil 
  • The purpose of the data collection and processing is to offer some product or service to the people located in Brazil     

It does not apply if the collection and processing of personal data is – 

  • Done for a non-commercial purpose 
  • Done  for educational, social or artistic purposes 
  • Done for national security and public safety 
  • Carried out outside the territory of Brazil   

What impact will GDPL have on the companies? 

GDPL will impact the companies that collect or process data of Brazilian residents for business purposes. They will need to comply with GDPL for every single step that they take starting from employee relation to positioning their products in the market. 

Here are the key measures that any company should take in order to be compliant with this law:

  • Identify data, means of collection and operators to check the company’s exposure to GDPL.
  • Adhere to the principles provided in Article 6 of GDPL for creation, reviewing and implementation of documents. 
  • Make sure to take consent of the data subjects before collecting their data 
  • Creating an independent team and database to respond to the requests and reactions of the data subjects 
  • Ensure data security to the subjects and adopt adequate security measures for the protection and safety of the collected data that are in store in the company’s database 

What are the administrative penalties involved?

Since GDPL is still yet to come into effect, what penalty will apply to what kind of violation is still subject to the approval of the Brazilian Senate. However,  as per a provisional measure 869/2018 published in December 2018, the current penalty rules will continue till May 2021.

Here are the major administrative penalties for violation of GDPL – 

  • Warning 
  • A fine that may go up to 2% of a company’s income for the previous financial year excluding all taxes. It is to be paid at a time or on a daily basis. 
  • Publicly of the infringement 
  • Blocking of personal data related to the infringement   

Final thoughts…

The Brazilian’s GDPL isn’t an obligatory implementation yet. As most of the websites are already following current international consumer protection laws like GDPR and CCPA, the efforts required to be compliant with GDPL will be relatively less.

Obviously there will be some additional information required to be updated by how companies manage personal data. If you have any questions or suggestions regarding GDPL, we would love to hear from you! Drop your feedback in the comment box below.