LGPD – Brazil’s New Data Privacy Law
In August 2018, Brazil enacted Lei Geral de Protecao de Dados (“LGPD”), the country’s data protection law, which it modeled after Europe’s General Data Protection Regulation (“GDPR”). With enforcement beginning in September 2020, LGPD requires companies to comply with strict requirements related to the collection and processing of Brazilian consumers’ personal data.
Clym has reviewed the LGPD and compiled the reference guide below to help companies navigate this new and complicated regulation
The LGPD applies to any private orpublic individual or company with personal data processing activities that:
1) Are carried out in Brazil;
2) Collect personal data from Brazilian consumers;
3) Involve offering and supplying goods or services in Brazil; or
4) Relate to data subjects who are geographically located in Brazil.
The LGPD has an extraterritorial scope, meaning that even if businesses aren’t physically located in Brazil, they will need to comply with the regulation. Additionally, there is no small business exemption or revenue requirement, so any business meeting any one of these requirements have a compliance obligation. Companies across a broad spectrum of industries, from financial to technology to hospitality and travel to insurance, will be affected; if you’re collecting and processing data from Brazilian consumers, you’re in.
LGPD defines personal data as any information related to an identified or identifiable natural person. Essentially, if it can identify an individual (e.g. name, email, phone number, IP address, etc.) it’s in scope. Anonymized data should not be considered personal data under the LGPD, except when the process of anonymization has been reversed or if it can be reversed by applying reasonable efforts.
Data privacy laws generally outline the legal bases for processing data, which is one of the more important pieces of legislation to which a company should pay attention; the LGPD is no different as its standards are quite similar to GDPR requirements. Processing must be:
1) For legitimate, specific and explicit purposes of which the data subject is informed;
2) Limited to the minimum necessary to achieve its purposes;
3) Allow for free access, transparency to the data subject; and
4) Protected by appropriate measures
For companies, the key legal bases for data processing include:
1) Consent, which includes all particular purposes of the processing;
2) Fulfillment of legal, regulatory or contractual obligations; and
3) For “the legitimate interests of the controller or a third party,” where those interests outweigh, on balance, the data subject’s rights and liberties.
As noted above, these legal bases are similar to GDPR in their requirements. Note that a person or company who is processing data strictly for personal, journalistic, artistic, literary, academic, national security, national defense, public safety, or criminal investigation purposes are generally exempt from LGPD requirements.
Consumers are provided with certain rights under the LGPD and are empowered to access those rights through Data Subject Access Rights (“DSARs”). These include:
1. The right to confirmation of the existence of the processing;
2. The right to access the data;
3. The right to correct incomplete, inaccurate or out-of-date data;
4. The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
5. The right to the portability of data to another service or product provider, by means of an express request
6. The right to delete personal data processed with the consent of the data subject;
7. The right to information about public and private entities with which the controller has shared data;
8. The right to information about the possibility of denying consent and the consequences of such denial; and
9. The right to revoke consent.
In order to protect the rights of consumers, companies doing business in Brazil and subject to LGPD must:
1) Delete customer data after the relevant relationship terminates;
2) Adopt technical and administrative data security measures to protect personal data from unauthorized access, accidents, destruction, loss etc.;
3) Appoint a DPO officer responsible for receiving complaints and communications; and
4) Provide a data breach notification to both the data subjects and local authorities in case of a breach.
Yes, however the default rule, under Article 33 of the LGPD, is that such transfer is prohibited, absent certain enumerated exceptions. In some cases, transfer of data is permitted, including:
1) The receiving country or organization provides a level of data protection comparable to the LGPD’s;
2) The non-Brazilian data importer is bound by a contract or by global corporate policy to provide and demonstrate a level of data protection comparable to the LGPD’s;
3) International legal cooperation between government agencies; and
4) The data subject has given specific consent to the transfer.Note that with the recent decision and guidance that the EU-US Privacy Shield is not GDPR compliant, it may be the case that Brazil does not consider the US to have equivalent data protections that permit transfer from Brazil to the US.
Yes, the LGPD creates the position of Chief of Data Treatment, which is the data protection officer (“DPO”) in charge of the data processing operation. The DPO will be responsible for the following: 1) Accepting complaints and communications from data subjects and the national data protection authority;2) Orienting employees about good practices; and 3) Carrying out other duties as determined by the controller or set forth in complementary rules.The law also provides that the Brazilian National Authority may further establish complementary rules about the definition and the duties of the DPO, including the situations when the appointment of such person may be waived, according to the nature and the size of the covered entity or the volume of data processing operations.
The maximum administrative sanctions under the LGPD is 2% of the company’s Brazilian revenue of up to R$50 million (about $12 million USD) per infraction, which is lower than the up to 4% of global revenue or up to EUR 20 million for GDPR, though still a significant amount for violators.
Yes, it does. The LGPD does not provide any exceptions for small/medium businesses or small-scale processing; if you’re processing personal data on Brazilian consumers, you’re in scope.
The good news is that if you’ve made your website GDPR compliant, you’re on the right track to being LGPD compliant (if you’ve not done this, you’ve got some work to do!). The three areas of focus should be on management of consent, access, and policies.
Need a 2-pager to help convince a decision maker?
The first step is to take an inventory of the trackers (such as Google Analytics, Facebook Pixel, etc.) that you have running on your website. The vast majority of websites use these types of tracking technologies to advertise, collect statistics and perform marketing campaigns. Similar to GDPR, notice must be provided to a website visitor, and you must obtain explicit consent prior to utilizing these trackers, meaning the visitors must “opt-in” to their usage. You are not able to utilize a cookie wall or implied consent, and you must demonstrate that you’re obtaining consent in accordance with LGPD.
In order to obtain valid LGPD cookie consent, you need to follow specific requirements. The consent must be informed, explicit, freely given, specific and data subjects have the right to withdraw and written in plain language that it’s clearly visible. Clym’s platform can help you obtain consent compliant with the requirements of LGPD
In order to be compliant, your consent methodology must
1) Clearly identify each party for which the cookie consent is being granted (category, name of tracker and its purpose);
2) Empower a user to easily withdraw consent (specifically, you cannot use a cookie wall which says something to the effect of “by using this site, you accept cookies”;
3) Provide granular levels of control with separate consents for tracking and analytics cookies, as well as mechanisms to also signal customer consent; and
4) Keep a record of consent and make it available to regulators and consumers.
Under Brazil's Lei Geral de Proteção de Dados (LGPD) Regulation, data subjects have seven fundamental rights.
As a data processor or controller, you have the obligation of informing them about these rights, set up a mechanism for allowing users to exercise their rights, as well as to address these requests in a serious and timely manner.
Managing data privacy made easy. These are the complementary tools that help us cater your compliance needs.
Learn More about Our Privacy Widget
See you on the safe side