Brazilian General Data Protection Act (LGPD)
Brazilian General Data Protection Act
Brazilian General Data Protection Act (Lei Geral de Proteção de Dados, LGPD, in Portuguese) was a privacy law introduced by Brazil. It was passed by the Brazilian Federal Senate on August 14, 2018, and will take effect on August 16, 2020. LGPD establishes a legal framework for the use of Brazilian personal data and was inspired by the General Data Protection Regulation (GDPR). Regardless of where the data processor is located, LGPD applies to businesses process that personal data of users located in Brazil.
Importance of LGPD
LGPD stated clearly about the rights of individual data and outlined ten legal bases in article 7. Enterprises are required to hire a data protection officer (DPO) and establish the Autoridade Nacional de Proteção de Dados (ANPD), which is a national data protection authority of LGPD. ANPD is responsible for issuing guidelines and enforcing data protection laws in Brazil. Most importantly, this LGPD requires compulsory data breach notification and stated penalties clearly. Since Brazil has more than 138 million internet users, making it the fourth-largest internet market in the world, your enterprise may need to comply with the LGPD.
What does LGPD apply to?
I - Data processing within the territory of Brazil
II - Data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located
III - Data processing of data collected in Brazil
This means the LGPD not only protects the personal data of Brazilian citizens but also protecting any individual data collected or processed in Brazil.
Nine rights of LGPD
According to Act 18, the personal data subject has the right to obtain the following from the controller, regarding the data subject’s data being processed by the controller, at any time and by means of request:
I – confirmation of the existence of the processing;
II – access to the data;
III – correction of incomplete, inaccurate or out-of-date data;
IV – anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this Law;
V – portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency;
VI – deletion of personal data processed with the consent of the data subject, except in the situations provided in Art. 16 of this Law;
VII – information about public and private entities with which the controller has shared data;
VIII – information about the possibility of denying consent and the consequences of such denial;
IX – revocation of consent
According to Act. 52, Companies that violate the new law will be subject to fines reach up to 2% of the organization's total revenue, with a limit of R$50 million (BRL) per violation.