The Ultimate Guide to GDPL: Brazil’s Data Protection Law

Ever wondered how the Global Data Protection Law (GDPL) is changing the way companies in Brazil handle your private information?

In this guide, we’ll take a simple and clear look at GDPL and its impact. We’ll explore the rules and ideas behind Brazil’s Data Protection Law, see how it affects sensitive information, and understand why it’s important for your privacy.

Join us on this journey as we uncover the details of GDPL and learn how it’s making a difference in protecting data not only in Brazil but also around the world.

What is GDPL? 

The General Data Protection Law, or GDPL, Law No. 13,709/2018, is the Brazilian privacy law. It is Brazil’s first comprehensive general law that addresses personal data protection and the privacy of citizens.

GDPL imposes some limitations, obligations, and requirements on the business organizations operating in Brazil, irrespective of their geographical presence. 

It is crucial to note that Brazilian law requires all legal entities, whether public or private, that handle the personal data of Brazilian residents to obtain consent for the data from individuals before collecting any personal information. This applies to both digital and physical means of collection.

Personal data, as defined by the law, refers to any information that is related to a particular individual. This information could be used to identify the said individual.

Personal data is considered sensitive if it relates to:

• Ethnicity or racism
• Religious or political opinion
• Membership in any religious or political organization 
• Biometric or genetic information  
• Trade Union  

Here are the major principles that govern GDPL: 

• Respect for the privacy of the residents of Brazil 
• Freedom of expression 
• Self-determination in relation to information 
• Economical development and technological advancement
• Consumer protection 
• Freedom of entrepreneurship 

Understanding GDPL is the first step, but applying it correctly can be challenging. This is where tools like the WPLP Compliance Platform help simplify implementation.

ANPD Enforcement Updates

Following the introduction of the LGPD’s enforcement provisions in August 2021, Brazil’s National Data Protection Authority (ANPD) has increasingly exercised its powers by investigating and sanctioning entities that fail to comply with the law.

One such case of non-compliance was against a telemarketer who had processed personal data without a valid basis, did not have a Data Protection Officer (DPO) appointed, and also did not comply with various requests issued by the ANPD in relation to their operations.

The ANPD’s penalties included issuing warnings and imposing financial penalties based on a percentage of the company’s revenue for every violation of the LGPD.

The ANPD’s Regulatory Agenda for 2025-2026 aims to establish a much more structured and proactive regulatory climate than has previously existed. It includes expanding guidance on Data Subject rights and the International transfer of personal data, as well as regulating Artificial Intelligence and Biometric technologies.

Additionally, the ANPD has become more independent from other governmental agencies by being granted Technical, Administrative, and Enforcing Independence, allowing it to enforce compliance with its regulations and apply appropriate sanctions for regulatory non-compliance.

When will GDPL come into force? 

The first draft of the GDPL (General Data Protection Law) of Brazil was published on 15th August 2018 in the official gazette. It was supposed to be implemented immediately.

The Brazilian residents, business firms, cyber professionals, and even the non-profit organizations were quite eagerly waiting for this new regulation, as it was all set to be enacted in 2014, alongside the Brazilian Civil Framework of the Internet – BCFI and a new Copyrights Act, to upgrade the Brazilian legislature to match the requirements of the 21st century.

However, things did not proceed in the anticipated order. The approval and implementation of these new laws did not unfold as expected in the legal process. There were some contradictions between them. It took some time to resolve the issue. 

The commencement was supposed to take place in August 2020. But, due to the outbreak of  COVID 19 pandemic, it has been further postponed to August 2021. The law will come into effect after the Brazilian Senate approves the bill and the president passes it. But, as the situation is quite uncertain, it is difficult to say when it will actually come into force. 

Weverton Rocha, the Brazilian Senator, has made a public comment saying the law is the need of the time but due to the current scenario, the implementation is being delayed – 

“GDPL is a subject that has been maturing during many years and we are falling behind in the world because we are not prepared. More than ever, we need GDPL”.  

Automated Decision-Making and AI Processing

Under the LGPD, data subjects have the right to be informed about how their personal data is processed, including when it is used for automated decision-making or data analysis.

Controllers must clearly disclose the existence of such automated processes and explain how they may affect individuals. Where an automated decision produces significant effects, data subjects may request meaningful information about the logic involved and an explanation of the decision’s outcome.

The LGPD allows for automated decision-making as long as there is a legal basis for the decision and sufficient transparency to clarify the decision-making process and protection against data subject discrimination.

Companies are expected to have safeguards for fairness, accountability, and the right of data subjects to contest automated decisions or receive an explanation for how the automated decision was made.

The ANPD has signaled its focus on this area through technical notes emphasizing risk-based compliance and transparency, particularly where advanced technologies like AI are involved. Even though these notes are not binding rules, they provide useful guidance for organizations on how to align automated processing with LGPD principles.

To make it compliant, use the WPLP Compliance Platform, which provides an AI clause-based legal template. You can use this template to file a complaint with GDPL.

• Terms and Conditions: Establish fair usage, liability, and business practices, ensuring your customers are using the terms as they relate to how you run your AI-driven automated operation.

• DMCA Policy: This protects your website from copyright claims and explains how content ownership and violations need to be reported.

• General Disclaimer: Protects your company from potential legal liability by establishing limits to your business responsibility, including decisions that were based on AI tools. 

To Whom Does GDPL Law Apply?

GDPL applies to any person or legal entity that processes the personal data of the residents of Brazil if – 

• The Individuals are located in Brazil. 
• Data are collected and processed in Brazil.
• The purpose of the data collection and processing is to offer a product or service to the people in Brazil.     

It does not apply if the collection and processing of personal data is – 

• Done for a non-commercial purpose.
• Done for educational, social, or artistic purposes.
• Done for national security and public safety.
• Carried out outside the territory of Brazil.  

Privacy Rights Mapping (Data Subject Rights)

Brazil’s LGPD grants a set of comprehensive rights to data subjects, many of which align with global privacy standards such as the GDPR. These include:

• The right to confirmation of processing and access to personal data.
• The right to correct incomplete, incorrect, or outdated information.
• The right to anonymize, block, or delete unnecessary or excessive data.
• The right to portability of personal data to another service provider.
• The right to object to processing, including processing for direct marketing or profiling.
• The right to information about automated decision-making affecting them.

In practice, mapping these rights within your organization means identifying where personal data is collected, processed, stored, shared, and deleted, along with establishing mechanisms to respond to data subject requests within the mandated timeframes.

A clear rights map also helps controllers and processors document compliance and respond more efficiently to ANPD inquiries.

What Impact Will GDPL Have On The Companies? 

GDPL will impact the companies that collect or process data of Brazilian residents for business purposes. They will need to comply with GDPL for every single step that they take, starting from employee relations to positioning their products in the market. 

Here are the key measures that any company should take in order to be compliant with this law:

• Identify data, means of collection, and operators to check the company’s exposure to GDPL.
• Adhere to the principles provided in Article 6 of GDPL for the creation, reviewing, and implementation of documents. 
• Creating an independent team and database to respond to the requests and reactions of the data subjects. 
• Ensure data security for the subjects and implement adequate security measures to protect and ensure the safety of the collected data stored in the company’s database.

What Administrative Penalties Are Involved in Brazilian Law?

Here are the penalties for Non-compliance with the GDPL law.

Warnings will be issued, specifying a deadline for corrective action. Non-compliance will result in the following consequences.

1. The authorities may impose a straightforward fine amounting to a maximum of 2% of the economic group’s net turnover in Brazil during its last fiscal year. The authorities cap this fine at BRL 50 million (approximately USD 10.5 million) per violation.
2. Daily fines may apply within the limits established by the previously mentioned fine.
3. Disclosure of the violation will occur after a thorough verification and confirmation process.
4. Personal data involved in the violation may be blocked until the issue is resolved.
5. Deletion of the personal data that is the subject of the violation may be mandated.
6. Authorities may suspend the relevant database for six months, with the option for renewal for an additional six-month period.
7. May suspend processing activities for six months, with the option to renew for another six-month period.
8. Authorities may mandate the deletion of the personal data that is the subject of the violation.

FAQ

Conclusion

The Ultimate Guide to GDPL emphasizes its significance in shaping data protection practices in Brazil. The law aligns with global standards, offering guidelines tailored to the nation’s dynamic landscape.

Navigating the regulatory framework is crucial, with a focus on practical compliance implications. GDPL’s impact on sensitive information is substantial, evidenced by case studies illustrating successful strategies. Looking ahead, the dynamic nature of data protection calls for continuous adaptation.

The guide serves as a roadmap for businesses to implement best practices, emphasizing the proactive measures needed to secure sensitive information and contribute to a future of ethical and responsible data management.

Most of the websites are already following current international consumer protection laws like GDPR and CCPA, and if you manage a website and wish to incorporate a cookie banner, you may want to explore the option of installing the free WP cookie consent plugin.

If you loved reading this article, Try reading our other articles as well.

• How To Add Copyright Text To A Website
• Do I Need A Privacy Policy For My Website? – A Beginner’s Guide
• What is a Cookie Consent Manager? – An Ultimate Guide

Want to create a unique cookie consent banner, grab the WP Cookie Consent plugin now!

Disclaimer: This article is for informational and reading purposes only and does not constitute legal advice.