Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) is an extensive data protection law enacted in August 2020 and enforced from August 2021, influenced by the European Union’s GDPR.
The LGPD intends to streamline Brazil’s complex web of data protection regulations by providing a unified regulatory framework. it assigns specific rights to Brazilian individuals over their personal data and imposes strict compliance requirements on organizations that process this data. The law introduces nine fundamental rights for data subjects and delineates ten legal bases for lawful data processing.
The LGPD further establishes the National Data Protection Authority (ANPD) and requires organizations to appoint Data Protection Officers (DPOs). Despite its similarities to the GDPR, the LGPD has distinct features, definitions, and enforcement measures, including less stringent penalties.
Get a Free Cookie Banner now
It doesn't matter if your are in the US, Europe or anywhere else.
Key Takeaways
- Unified Regulatory Framework:
- The LGPD replaces over 40 existing federal regulations with a single comprehensive data protection law, simplifying Brazil’s regulatory landscape.
- Nine Data Subject Rights:
- The LGPD introduces nine rights for data subjects, including the right to access, correct, delete, and transfer their data. These rights are similar to, but distinct from, those provided by the GDPR.
- Extraterritorial Scope:
- The LGPD applies not only to data processing within Brazil but also to data of individuals in Brazil, regardless of where the data processor is located.
- Legal Bases for Processing:
- There are ten legal bases for processing personal data under the LGPD, including consent, compliance with legal obligations, execution of public policies, and protection of health and life.
- Enforcement and Penalties:
- The National Data Protection Authority (ANPD) oversees the enforcement of the LGPD. Penalties for noncompliance can include warnings, daily fines, and fines up to 2% of annual turnover or 50 million Brazilian reals (~ €11 million), which are less severe compared to the GDPR’s penalties.
Introduction to Brazil’s LGPD
Effective since August 2020, the LGPD had a grace period of 12 months, and enforcement began in August 2021. The National Data Protection Authority (ANPD) is responsible for its implementation.
Any organization that collects or processes personal data from Brazilian individuals must comply with the LGPD.
On August 31, 2021, the Brazilian Senate approved PEC 17/19, amending the Federal Constitution. This move cemented the protection of personal data as a fundamental right and enabled federal exclusivity in legislating data protection.
The goal is to prevent states and municipalities from meddling in LGPD enforcement.
This amendment consolidated various rules and laws, including the Data Protection Law, ensuring robust defenses against violations and fraud, especially under the Consumer Protection Code.
LGPD – Brazil’s Data Protection Law
Brazil boasts over 140 million internet users, making it the largest internet market in Latin America and fourth worldwide. Prior to the LGPD, over 40 federal regulations governed data protection, creating a complicated legal environment.
These laws were sector-specific—covering areas like banking and consumer protection—but lacked a comprehensive approach.
The LGPD streamlined this with a unified regulatory framework. Any data processed within Brazil falls under the LGPD’s purview, even if managed by foreign entities.
Influenced by the GDPR, the Data Protection Law empowers individuals with several rights. GDPR-compliant companies have a head start but must still address differences between the two laws.
What is the Data Protection Law in Brazil?
Consisting of 65 articles, outlines how personal data must be handled in Brazil.
LGPD Overview
Article 18 of the lists nine rights for data subjects:
- Confirmation of data processing
- Access to their data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary or non-compliant data
- Data portability to other services or processors upon request
- Deletion of personal data
- Information about data sharing with public and private entities
- Information about the consequences of denying consent
- Revocation of consent
These rights are similar to those in the GDPR, making them relevant for global companies dealing with Brazilian data.
LGPD and Personal Data
Article 5 of the LGPD defines key terms and concepts:
- Personal Data: Broadly, this includes any information about an identifiable individual.
- Sensitive Personal Data: Requires additional safeguards and includes racial, ethnic, religious, political, health-related, genetic, and biometric data.
Article 11 specifies limited scenarios for processing sensitive data, such as explicit consent, public policies, or research that anonymizes data.
Data Protection Law and Anonymized Data
Anonymized data refers to information that cannot identify an individual through technical means at the time of processing. If data can be re-identified, it is considered personal data.
Additional Definitions (Article 5)
- Processing: Any operation performed with personal data.
- Consent: Must be free, informed, and unambiguous regarding data processing for a specific purpose.
- Database: A structured set of personal data.
- Controller: Entity deciding the purpose and use of personal data.
- Processor: Entity processing data on behalf of the controller.
- Officer: Appointed by the controller to facilitate communication with data subjects and the ANPD.
LGPD Compliance in Brazil
The LGPD grants nine rights to data subjects, defines personal data, and outlines ten legal bases for lawful processing. It mandates appointing a Data Protection Officer (DPO) and establishes the ANPD to supervise compliance.
LGPD Scope
The Data Protection Law applies to public and private sectors, both online and offline, within and outside Brazil if processing Brazilian data.
Article 3 states its application in:
- Data processing within Brazil.
- Processing Brazilian individuals’ data by global entities.
- Processing data collected in Brazil.
The LGPD protects everyone in Brazil, not just citizens.
LGPD and EU Adequacy
Modeled on the GDPR, Brazil aims for an adequacy agreement with the EU, allowing free data flow by meeting European standards.
Conzent CMP for LGPD Compliance
Conzent CMP manages consent for cookies and tracking technologies, ensuring LGPD compliance. It identifies cookies, blocking them until users provide specific consent.
LGPD and Consent
Consent is the first and crucial legal basis for lawful processing under the Data Protection Law . Article 8 specifies that consent must be explicit, specific, and revocable, aligning with GDPR standards.
LGPD’s Legal Bases for Processing
Article 7 lists ten legal bases:
- Consent
- Legal or regulatory obligation
- Public policies
- Research, with anonymization when possible
- Contracts
- Exercise of legal rights
- Protection of life or safety
- Health protection by professionals or entities
- Legitimate interests, unless overridden by data subjects’ rights
- Credit protection
Compliance requires documenting all data handling processes.
Data Protection Authorities and Officers
The ANPD, established by presidential decree on August 26, 2020, ensures LGPD enforcement. It sets standards, supervises, audits, educates, handles data breach notifications, and enforces sanctions.
Companies must appoint a DPO to oversee LGPD compliance.
LGPD Fines and Penalties
Noncompliance can result in:
- Warnings and corrective measures
- Daily fines
- Fines up to 2% of annual turnover in Brazil or R50 million (~ €11 million) per violation
LGPD vs GDPR
- Rights: Offers nine rights compared to the GDPR’s eight.
- Legal Bases: Specifies ten legal bases, while the GDPR has six.
- Personal Data: The LGPD has a broader definition.
- Sensitive Data: Both laws treat sensitive data similarly, but the LGPD has stricter restrictions.
- Consent and Legal Bases: Requires specific consent and has unique legal bases like credit protection.
- DPO and DPIA: Mandates a DPO, while GDPR requires it under certain conditions. LGPD also demands Data Protection Impact Assessments but is less specific.
- Data Breaches: GDPR mandates reporting within 72 hours, the LGPD suggests “reasonable time.”
- Fines: GDPR has higher maximum fines compared to the Data Protection Law.