Main aspects of the Brazilian General Data Protection Law
On August 14, 2018, the President has approved the Law No. 13,709, the Brazilian General Data Protection Law (LGPD).
Brazil now has clear rules for the processing of personal data, finally adopting a specific law that replaces or complements a scattered legal system that brought legal uncertainty inharmonious with the current context of an increasingly data driven world.
The LGPD will come into force on February 15, 2020 and we describe below its main aspects:
Any operation (online or offline) made by natural person or legal entity, public or private, located in Brazil or abroad, provided that (i) personal data has been collected in Brazil; (ii) any processing activity is performed in Brazil; or (ii) the processing aims at offering or supplying goods and services to individuals located in Brazil.
The law does not apply to the processing of personal data (i) carried out by natural person without economic ends; (ii) for journalistic, artistic and academic purposes; (iii) for public safety; and (iv) collected in other countries.
- Personal data: information related to an identified or identifiable natural person (e.g., name, telephone, address and email);
- Sensitive personal data: personal data on racial origin, ethnicity, political, sexual and religious orientation, health data, genetic data, biometrics, etc.
- Anonymized data: data that cannot identify the owner, considering the use of technical measures in the data processing;
- Processing of personal data: any operation carried out with personal data, such as the collection, use, access, storage, processing, transfer, etc.
- Data owner: the natural person to whom the personal data refer;
- Data controller: agent responsible for decisions concerning the processing of personal data;
- Data processor: agent that performs the processing of personal data on behalf of the controller.
Legal basis for data processing
- Owners’ consent, in writing or by other means that demonstrate their informed and unequivocal manifestation of free will;
- Compliance with legal or regulatory obligation;
- Enforcement of public policies;
- Studies by research entities;
- Contracts enforcement;
- Regular exercise of rights in judicial, administrative or judicial process;
- Protection of the life or physical safety of the data owner or a third party;
- Health protection;
- Legitimate interests involving the support and promotion of the activities of the controller and the regular exercise of rights of the data owner and the rendering of services that benefit the data owner (and only involving personal data strictly necessary for the intended purpose);
- Credit protection.
At any time, the data owner can obtain from the controller: (i) confirmation of the existence of the data processing; (ii) access to data; (iii) data correction; (iv) anonymization, blocking or elimination of unnecessary, excessive or unlawful data; (v) portability of personal data to another supplier; (vi) deletion of his/her data, except in cases provided for by law; (vii) information of the entities with which his/her data has been shared; (viii) information on the possibility of not granting consent and consequences of the refusal; and (ix) revocation of consent.
Erasure of personal data
The termination of the data processing must occur upon: (i) reaching the purpose for which the data was processed; (ii) the end of the processing period; (iii) the revocation of consent by the data owner; and (iv) a determination from the national authority.
Personal data should then be deleted, but its retention is authorized for: (i) the compliance with legal obligation; (ii) a study by a research entity; (iii) the transfer to third parties; or (iv) the exclusive use of the controller, provided the data is anonymized.
International transfer of data
Permitted, among other cases, if: (i) to countries or international organizations that provide a degree of protection of personal data appropriate when compared to the LGPD; (ii) the controller can prove the adequate protection, through contractual clauses, corporate rules, certificates, etc.; (iii) necessary for legal cooperation between public bodies; (iv) necessary for the protection of life or physical safety; (v) the national authority authorizes the transfer; (vi) the data owner has granted specific consent; (vii) necessary for the enforcement of a contract, legal obligation and exercise of rights in a judicial process by the controller.
Data protection officer
The controller shall appoint a data protection officer that will be in charge of the processing of personal data, who shall have within its attributions to provide clarifications and take action against communications from the data owners and the national authority and to guide the staff of employees and contractors as to the practices that should be adopted for protection of personal data.
The processing agents must adopt technical, safety and administrative measures to protect personal data from unauthorized access and from accidental or unlawful events. The minimum technical standards shall be laid down by the national authority.
The controller shall communicate within a reasonable period of time to the national authority and to the data owner the occurrence of a security incident that could cause significant risk or damage to the data owners.
Warning; fine for each infraction of up to 2% of the income of the legal entity or its economic group in Brazil in the previous fiscal year limited to R$ 50,000,000.00; publicizing the infraction; and blocking or deleting personal data.
Period for adjustments
18 months after the publication, i.e, February 15, 2020.
Creation of a National Data Protection Authority
The national authority is yet to be created by the Brazilian government, by means of a specific Bill of Law.
For further information, contact our Intellectual Property team.
see all publications