The Ultimate Guide to GDPL: Brazil’s Data Protection Law

The Ultimate Guide to GDPL: Brazil’s Data Protection Law

Ever wondered how the Global Data Protection Law (GDPL) is changing the way companies in Brazil handle your private information?

In this guide, we’ll take a simple and clear look at GDPL and its impact. We’ll explore the rules and ideas behind Brazil’s Data Protection Law, see how it affects sensitive information, and understand why it’s important for your privacy.

Join us on this journey as we uncover the details of GDPL and learn how it’s making a difference in protecting data not only in Brazil but also around the world.

What is GDPL? 

General Data Protection Law or GDPL, Law No 13,709/2018,  is Brazilian privacy law. It is Brazil’s first comprehensive general law that addresses personal data protection and privacy of citizens.

GDPL imposes some limitations, obligations, and requirements on the business organizations operating in Brazil, irrespective of their geographical presence. 

It is crucial to note that Brazilian law requires all legal entities, whether public or private, who handle the personal data of Brazilian residents, to obtain consent for the data from individuals before collecting any personal information. This applies to both digital and physical means of collection.

Personal data, as defined by the law, refers to any information that is related to a particular individual. This information could be used to identify the said individual.

Personal data is considered sensitive if it relates to –

  • Ethnicity or racism
  • Religious or political opinion
  • Membership of any religious or political organization 
  • Biometric or genetic information  
  • Trade Union  

Here are the major principles that govern GDPL – 

  • Respect for the privacy of the residents of Brazil 
  • Freedom of expression 
  • Self-determination in relation to information 
  • Economical development and technological advancement
  • Consumer protection 
  • Freedom of entrepreneurship 

When will GDPL come into force? 

The first draft of the GDPL (General Data Protection Law) of Brazil was published on 15th August 2018 in the official gazette. It was supposed to be implemented immediately. The Brazilian residents, business firms, cyber professionals, and even the non-profit organizations were quite eagerly waiting for this new regulation, as it was all set to be enacted in 2014, alongside the Brazilian Civil Framework of the Internet – BCFI and a new Copyrights Act, to upgrade the Brazilian legislature to match the requirements of the 21st century.

However, things did not proceed in the anticipated order. The approval and implementation of these new laws did not unfold as expected in the legal process. There were some contradictions between them. It took some time to resolve the issue. 

The commencement was supposed to take place in August 2020. But, due to the outbreak of  COVID 19 pandemic, it has been further postponed to August 2021. The law will come into effect after the Brazilian Senate approves the bill and the president passes it. But, as the situation is quite uncertain, it is difficult to say when it will actually come into force. 

Weverton Rocha, the Brazilian Senator, has made a public comment saying the law is the need of the time but due to the current scenario, the implementation is being delayed – 

“GDPL is a subject that has been maturing during many years and we are falling behind in the world because we are not prepared. More than ever, we need GDPL”.  

To Whom Does GDPL Apply?

GDPL applies to any person or legal entity that processes the personal data of the residents of Brazil if – 

  • The Individuals are located in Brazil. 
  • Data are collected and processed in Brazil.
  • The data collection and processing purpose is to offer some product or service to the people in Brazil.     

It does not apply if the collection and processing of personal data is – 

  • Done for a non-commercial purpose.
  • Done for educational, social, or artistic purposes.
  • Done for national security and public safety.
  • Carried out outside the territory of Brazil.  

What Impact Will GDPL Have On The Companies? 

GDPL will impact the companies that collect or process data of Brazilian residents for business purposes. They will need to comply with GDPL for every single step that they take, starting from employee relations to positioning their products in the market. 

Here are the key measures that any company should take in order to be compliant with this law:

  • Identify data, means of collection, and operators to check the company’s exposure to GDPL.
  • Adhere to the principles provided in Article 6 of GDPL for the creation, reviewing, and implementation of documents. 
  • Creating an independent team and database to respond to the requests and reactions of the data subjects. 
  • Ensure data security for the subjects and implement adequate security measures to protect and ensure the safety of the collected data stored in the company’s database.

What Administrative Penalties Are Involved?

Here are the penalties for Non-compliance with GDPL Law

Warnings will be issued, specifying a deadline for corrective action. Non-compliance will result in the following consequences.

  1. The authorities may impose a straightforward fine amounting to a maximum of 2% of the economic group’s net turnover in Brazil during its last fiscal year. The authorities cap this fine at BRL 50 million (approximately USD 10.5 million) per violation.
  2. Daily fines may apply within the limits established by the previously mentioned fine.
  3. Disclosure of the violation will occur after a thorough verification and confirmation process.
  4. Personal data involved in the violation may be blocked until the issue is resolved.
  5. Deletion of the personal data that is the subject of the violation may be mandated.
  6. Authorities may suspend the relevant database for six months, with the option for renewal for an additional six-month period.
  7. May suspend processing activities for six months, with the option to renew for another six-month period.
  8. Authorities may mandate the deletion of the personal data that is the subject of the violation.

Conclusion

The Ultimate Guide to GDPL emphasizes its significance in shaping data protection practices in Brazil. The law aligns with global standards, offering guidelines tailored to the nation’s dynamic landscape.

Navigating the regulatory framework is crucial, with a focus on practical compliance implications. GDPL’s impact on sensitive information is substantial, evidenced by case studies illustrating successful strategies. Looking ahead, the dynamic nature of data protection calls for continuous adaptation.

The guide serves as a roadmap for businesses to implement best practices, emphasizing the proactive measures needed to secure sensitive information and contribute to a future of ethical and responsible data management.

Most of the websites are already following current international consumer protection laws like GDPR and CCPA, and if you manage a website and wish to incorporate a cookie banner, you may want to explore the option of installing the free WP cookie consent plugin.

If you loved reading this article, Try reading our other articles as well.

Want to create a unique cookie consent banner, grab the WP Cookie Consent plugin now!