Book a personal demo and see how to make your website compliant today. Book a Demo now

LGPD Compliance

LGPD – Brazil’s New Data Privacy Law

In August 2018, Brazil enacted Lei Geral de Protecao de Dados (“LGPD”), the country’s data protection law, which it modeled after Europe’s General Data Protection Regulation (“GDPR”). With enforcement beginning in September 2020, LGPD requires companies to comply with strict requirements related to the collection and processing of Brazilian consumers’ personal data.

Clym has reviewed the LGPD and compiled the reference guide below to help companies navigate this new and complicated regulation

LGPD Compliance

Who needs to comply with LGPD?

The LGPD applies to any private orpublic individual or company with personal data processing activities that:
  1. Are carried out in Brazil;
  2. Collect personal data from Brazilian consumers;
  3. Involve offering and supplying goods or services in Brazil; or
  4. Relate to data subjects who are geographically located in Brazil.
The LGPD has an extraterritorial scope, meaning that even if businesses aren’t physically located in Brazil, they will need to comply with the regulation. Additionally, there is no small business exemption or revenue requirement, so any business meeting any one of these requirements have a compliance obligation. Companies across a broad spectrum of industries, from financial to technology to hospitality and travel to insurance, will be affected; if you’re collecting and processing data from Brazilian consumers, you’re in.
Personal Data

What is personal data under the LGPD?

LGPD defines personal data as any information related to an identified or identifiable natural person. Essentially, if it can identify an individual (e.g. name, email, phone number, IP address, etc.) it’s in scope. Anonymized data should not be considered personal data under the LGPD, except when the process of anonymization has been reversed or if it can be reversed by applying reasonable efforts.

Legal Basis

What are the legal bases for data processing?

Data privacy laws generally outline the legal bases for processing data, which is one of the more important pieces of legislation to which a company should pay attention; the LGPD is no different as its standards are quite similar to GDPR requirements. Processing must be:

    1. For legitimate, specific and explicit purposes of which the data subject is informed;
    2. Limited to the minimum necessary to achieve its purposes;
    3. Allow for free access, transparency to the data subject; and
    4. Protected by appropriate measures

    For companies, the key legal bases for data processing include:

      1. Consent, which includes all particular purposes of the processing;
      2. Fulfillment of legal, regulatory or contractual obligations; and
      3. For “the legitimate interests of the controller or a third party,” where those interests outweigh, on balance, the data subject’s rights and liberties.


    As noted above, these legal bases are similar to GDPR in their requirements. Note that a person or company who is processing data strictly for personal, journalistic, artistic, literary, academic, national security, national defense, public safety, or criminal investigation purposes are generally exempt from LGPD requirements.

Privacy Regulation Chart

Differences between GDPR, CCPA and LGPD

IssueCCPAGDPRLGPD
Data SubjectsCalifornia residentsEU residentsBrazilian residents
Who Must Comply?For-profit entities that process personal data of California residents (regardless of the company's location) and either:

1) Earn more than $25 million in annual revenues
2) Collect and process personal data of more than 50,000 consumers
3) Derives at least 50% of its revenues from “selling” personal data
Any organization (for-profit, non-profit and governmental) that processes
personal data of European citizens and residents, regardless
of the organization’s location
Any organization (for-profit, non-profit and governmental) that processes
personal data of Brazilian citizens and residents, regardless
of the organization’s location
Consent ManagementImplied consent, opt-out processes (e.g. website links, etc.), “Do Not Sell” for 12 monthsExplicit consent, consent preference tracking, consent withdrawal availability and fulfillmentExplicit consent, consent preference tracking, consent withdrawal availability and fulfillment
Privacy NoticeProvided to the consumer before or at the point of personal information collectionProvided to the data subject before or at the point of personal data collectionProvided to the data subject before or at the point of personal data collection
Processing ManagementPurpose identification and disclosure, data minimization, purpose limitation, incentivizationLegal basis for collection, data minimization, purpose limitation, accuracy, and automated decision-makingLegal basis for collection, data minimization, purpose limitation, accuracy, and automated decision-making
Individual Rights GrantedRight to request information
Right to data portability
Right to opt-out
Right to access data
Right of disclosure
Right to deletion
Right to restrict sale of personal information
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object to processing
Rights in relation to automated decision making and profiling
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object to processing
Right to anonymization
Right to deletion
Noncompliance PenaltiesUp to $7,500 (or actual damages) for each violation if enforced by the Attorney General
Up to $750 (or actual damages) for each violation if enforced by an individual
The greater of 4% of annual revenues or €20 millionUp to 2% of the company’s Brazilian revenue of up to R$50 million (about $12 million USD) per infraction
Response Time45 days30 Days15 days for "right of access", other requests are 30 days
Consumer Rights

What rights do consumers have under LGPD?

Consumers are provided with certain rights under the LGPD and are empowered to access those rights through Data Subject Access Rights (“DSARs”). These include:

The right to confirmation of the existence of the processing;
The right to access the data;
The right to correct incomplete, inaccurate or out-of-date data;
The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
The right to the portability of data to another service or product provider, by means of an express request
The right to delete personal data processed with the consent of the data subject;
The right to information about public and private entities with which the controller has shared data;
The right to information about the possibility of denying consent and the consequences of such denial; and
The right to revoke consent.
LGPD Compliance

What obligations do companies have under LGPD?

In order to protect the rights of consumers, companies doing business in Brazil and subject to LGPD must:

1) Delete customer data after the relevant relationship terminates;

2) Adopt technical and administrative data security measures to protect personal data from unauthorized access, accidents, destruction, loss etc.;

3) Appoint a DPO officer responsible for receiving complaints and communications; and

4) Provide a data breach notification to both the data subjects and local authorities in case of a breach.

LGPD Compliance

Can companies transfer data outside Brazil?

Yes, however the default rule, under Article 33 of the LGPD, is that such transfer is prohibited, absent certain enumerated exceptions. In some cases, transfer of data is permitted, including:

1) The receiving country or organization provides a level of data protection comparable to the LGPD’s;

2) The non-Brazilian data importer is bound by a contract or by global corporate policy to provide and demonstrate a level of data protection comparable to the LGPD’s;

3) International legal cooperation between government agencies; and

4) The data subject has given specific consent to the transfer.Note that with the recent decision and guidance that the EU-US Privacy Shield is not GDPR compliant, it may be the case that Brazil does not consider the US to have equivalent data protections that permit transfer from Brazil to the US.

LGPD Compliance

Do we need a Data Protection Officer?

Yes, the LGPD creates the position of Chief of Data Treatment, which is the data protection officer (“DPO”) in charge of the data processing operation. The DPO will be responsible for the following: 

1) Accepting complaints and communications from data subjects and the national data protection authority;

2) Orienting employees about good practices; and 

3) Carrying out other duties as determined by the controller or set forth in complementary rules.The law also provides that the Brazilian National Authority may further establish complementary rules about the definition and the duties of the DPO, including the situations when the appointment of such person may be waived, according to the nature and the size of the covered entity or the volume of data processing operations.

LGPD Compliance

What are the penalties for noncompliance with LGPD?

The maximum administrative sanctions under the LGPD is 2% of the company’s Brazilian revenue of up to R$50 million (about $12 million USD) per infraction, which is lower than the up to 4% of global revenue or up to EUR 20 million for GDPR, though still a significant amount for violators.

LGPD Compliance

Does LGPD apply to small and medium-sized businesses?

Yes, it does. The LGPD does not provide any exceptions for small/medium businesses or small-scale processing; if you’re processing personal data on Brazilian consumers, you’re in scope.

LGPD Compliance

How can I make my website LGPD compliant?

The good news is that if you’ve made your website GDPR compliant, you’re on the right track to being LGPD compliant (if you’ve not done this, you’ve got some work to do!). The three areas of focus should be on management of consent, access, and policies.

 
Do more with emaus

Cookie Consent & Compliance for LGPD

Inform your users about any personal data collection activity you may perform and collect their consent for doing so in an unambiguous, informed and free way.

Let them know what categories of personal information you are collecting about them, why you are collecting it, how it will be used, for how long and what other processors you are sharing this information with.

Don’t load any cookies or third party content on the website before obtaining your users’ explicit consent.

Do more with emaus

Data Subject Rights And Requests (DSR)

Under the General Data Protection Regulation, data subjects have seven fundamental rights.

 As a data processor or controller, you have the obligation of informing them about these rights, set up a mechanism for allowing users to exercise their rights, as well as to address these requests in a serious and timely manner.

Sign Up for Free today!

Website compliance in minutes.
Full access to all features
No credit card required until you’re ready to pick a paid plan
Let Us Show You What Our Tool Can Do

Book a Demo

Clym can help you make your website fully compliant with CCPA and GDPR and prepare you for upcoming privacy laws. Schedule a complimentary demo with one of our consultants and see how Clym can support your compliance journey.

Book a demo at your convenience

Let our experts show you how to make your website GDPR and CCPA compliant in a 1:1 demo