<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Brazil LGPD

Brazil's data privacy law

Book a Demo

What is LGPD?

The LGPD, Lei Geral de Protecao de Dados, is Brazil’s data protection law that was enacted in August 2018, and began to be enforced in September 2020. This law was modeled after the GDPR, requiring companies to comply with strict requirements related to the collection and processing of Brazilian consumers’ personal data.

One key thing to keep in mind is that this is an opt-in law, meaning that your website visitors have to give consent or opt into their personal data being collected before this can be done. 

 

What is Personal Information and what are other key definitions?

LGPD defines personal data as any “information related to an identified or identifiable natural person.” Essentially, if it can identify an individual (e.g. name, email, phone number, IP address, etc.) it’s in scope. Anonymized data should not be considered personal data under the LGPD, except when the process of anonymization has been reversed or if it can be reversed by applying reasonable efforts.

Similar to other privacy laws, it also defines sensitive personal data as “personal data on racial or ethnic origin, religious belief, public opinion, affiliation to union or religious, philosophical or political organization, data relating to the health or sex life, genetic or biometric data, whenever related to a natural person.

However, there is no mention of the sale of personal data as part of the activity of data collectors and processors, and no mention of a child’s age in relation to the processing of personal data of children. 

 

Who has to comply with the LGPD?

The LGPD applies to any private or public individual or company with personal data processing activities that:

  • Are carried out in Brazil;
  • Collect personal data from Brazilian consumers;
  • Involve offering and supplying goods or services in Brazil; or
  • Relate to data subjects who are geographically located in Brazil.

The LGPD has an extraterritorial scope, meaning that even if businesses aren’t physically located in Brazil, they will need to comply with the regulation. Additionally, there is no small business exemption or revenue requirement, so any business meeting any one of these requirements has a compliance obligation. Companies across a broad spectrum of industries, from financial to technology to hospitality and travel to insurance, will be affected. 

To put it simply,  if you’re collecting and processing data from Brazilian consumers, you need to comply with the LGPD.

Who is excluded from LGPD compliance? 

According to the text of the law, certain categories of processing of personal data are excluded from compliance. These categories include data: 

  • “made by a natural person for exclusively private and non-economic purposes; 
  • made exclusively for:
    • journalistic and artistic purposes; or
    • academic purposes
  • made exclusively for the following purposes:
    • public security;
    • national defense;
    • safety of the Country; or
    • crime investigation and punishment activities; or
  • originating from outside the Brazilian territory and which are not subject to communication, shared use of data with Brazilian processing agents or subject to international transfer of data with other countries than the country of origin, provided the country of origin provides a degree of personal data protection consistent with the provisions of this Law.”

How can I keep my organization LGPD compliant? 

The good news is that if you’ve made your website GDPR compliant, you’re on the right track to being LGPD compliant (if you’ve not done this, you’ve got some work to do!). The three areas of focus should be on management of consent, access, and policies.

Data privacy laws generally outline the legal base for processing data, which is one of the more important pieces of legislation to which a company should pay attention; the LGPD is no different as its standards are quite similar to GDPR requirements. Processing must be:

  • For legitimate, specific and explicit purposes of which the data subject is informed;
  • Limited to the minimum necessary to achieve its purposes;
  • Allow for free access, transparency to the data subject; and
  • Protected by appropriate measures
  • For companies, the key legal base for data processing include:
  • Consent, which includes all particular purposes of the processing;
  • Fulfillment of legal, regulatory or contractual obligations; and
  • For “the legitimate interests of the controller or a third party,” where those interests outweigh, on balance, the data subject’s rights and liberties.

As noted above, these legal bases are similar to GDPR in their requirements. Note that a person or company who is processing data strictly for personal, journalistic, artistic, literary, academic, national security, national defense, public safety, or criminal investigation purposes are generally exempt from LGPD requirements.

In order to protect the rights of consumers, companies doing business in Brazil and subject to LGPD must:

  • Delete customer data after the relevant relationship terminates;
  • Adopt technical and administrative data security measures to protect personal data from unauthorized access, accidents, destruction, loss etc.; and 
  • Provide a data breach notification to both the data subjects and local authorities in case of a breach.

Companies can transfer data outside of Brazil, however the default rule, under Article 33 of the LGPD, is that such transfer is prohibited, absent certain enumerated exceptions. In some cases, transfer of data is permitted, including:

  • The receiving country or organization provides a level of data protection comparable to that of the LGPD;
  • The non-Brazilian data importer is bound by a contract or by global corporate policy to provide and demonstrate a level of data protection comparable to that of the LGPD;
  • International legal cooperation between government agencies; and
  • The data subject has given specific consent to the transfer. Note that with the recent decision and guidance that the EU-US Privacy Shield is not GDPR compliant, it may be the case that Brazil does not consider the US to have equivalent data protections that permit transfer from Brazil to the US.

The LGPD at the moment suggests that all companies, public and private, shall appoint a Chief of Data Treatment, which is the data protection officer (“DPO”), regardless of the types of data processed. The DPO will be responsible for the following: 

  • Accepting complaints and communications from data subjects request and the national data protection authority;
  • Orienting employees about good practices; and 
  • Carrying out other duties as determined by the controller or set forth in complementary rules.The law also provides that the Brazilian National Authority may further establish complementary rules about the definition and the duties of the DPO, including the situations when the appointment of such person may be waived, according to the nature and the size of the covered entity or the volume of data processing operations.

What data access rights does LGPD grant? 

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to anonymization
  • Right to data portability
  • Right to deletion
  • Right to restrict processing
  • Right to erasure

LGPD Brazil compliant website with Clym

Book a Demo

How to address data subject access requests under LGPD?

Consumers are provided with certain rights under the LGPD and are empowered to access those rights through Data Subject Access Rights (“DSARs”)

The timeframe for replying to a data subject request is of maximum 15 days from the date of the request and the data has to be provided either immediately, in simplified form, or “by means of a clear and complete statement indicating the origin of the data, the inexistence of registration, the criteria used and the purpose of the processing, observing the business and industrial secrets, provided within up to fifteen (15) days as from the date of request of the data subject.”

In addition, the LGPD mandates in article 41 that your company has to appoint a data protection officer, whose activity will consist of the following:

  • “to accept complaints and communications from the data subjects, provide clarifications and take measures;
  • to receive communications from the supervisory authority and take measures;
  • to instruct the employees and contractors of the entity on the practices to be adopted in relation to the personal data protection; and
  • to carry out any other duties established by the controller or in supplementary rules.”

The identity and contact data for your DPO has to be “publicly, clearly and objectively disclosed,” preferably on your website. It is not mandatory to inform the National Authority about a DPO appointment under the current legislation. 

 

Enforcement and penalties

The maximum administrative sanctions under the LGPD is 2% of the company’s Brazilian revenue or up to R$50 million (about $12 million USD) per infraction, which is lower than the up to 4% of global revenue or up to EUR 20 million for GDPR, though still a significant amount for violators.



Data Subject Rights - GDPR vs. LGPD

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • Ready Compliance: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

illustration of means of contact

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596