Lei Geral de Proteção de Dados (LGPD) Brazil

    Overview

    The Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil's comprehensive data protection law, into effect since September 18, 2020 and enacted to regulate the processing of personal data by natural persons or legal entities, both in public and private sectors. Its primary focus is to mandate individuals' rights to privacy, freedom, and the protection of their personal data, even when processed digitally. The law was modeled after the European Union's General Data Protection Regulation (GDPR) but includes provisions specific to Brazil. 

     

     

    Regulation Summary

    Timeline
    • August 14, 2018: LGPD signed into law.
    • September 18, 2020: LGPD became enforceable.
    • August 1, 2021: Administrative sanctions became applicable.
    What Businesses Are Affected
    • Companies processing personal data in Brazil.
    • Organizations offering goods and services to individuals in Brazil.
    • Entities handling data collected in Brazil, regardless of location.
    Exemptions
    • Personal data processed for private, non-commercial purposes.
    • Data used exclusively for journalism, art, or academic purposes.
    • Data processed for national security, public safety, or law enforcement.
    Responsibilities for Businesses
    • Accountability: Demonstrate compliance with LGPD principles.
    • Transparency: Provide clear privacy notices.
    • Data Minimization: Limit data collection to what is necessary.
    • Security: Implement technical and organizational measures to protect personal data.
    • Legal Basis for Processing: Ensure processing has a valid legal basis, such as consent, legal obligation, or legitimate interests.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Obtain explicit consent before using cookies.
    • Privacy Notices: Provide detailed privacy policies accessible to users.
    • Data Subject Requests: Respond to requests for data access, correction, or deletion within 15 days, with another 15 days extension possible.
    • Breach Notification: Notify the National Data Protection Authority (ANPD) of breaches within a reasonable time.
    Additional Requirements
    • Data Protection Officer (DPO): Mandatory for organizations processing significant amounts of personal data.
    • International Data Transfers: Use mechanisms such as Standard Contractual Clauses (SCCs) or obtain ANPD approval.
    • Children’s Data: Obtain parental consent for processing personal data of children under 13.
    Data Subject Rights
    • Access: Confirm and access personal data.
    • Correction: Request corrections to inaccurate data.
    • Deletion: Request deletion of data in specific circumstances.
    • Portability: Transfer personal data to another service provider.
    • Objection: Object to data processing in specific situations.
    Enforcement
    • Enforced by the National Data Protection Authority (ANPD).
    • Fines: Up to 2% of the organization’s revenue in Brazil, limited to R$50 million (approx. $8.4 million) per violation.
    • Additional sanctions: Public disclosure of violations and data processing suspension.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596