The General Data Protection Regulation (GDPR) has become the blueprint for many data protection laws (there are too many to list here) in the world. Brazil’s data protection regulation, LGPD is one of the regulations that follow the footsteps of the EU law.
The LGPD has many similarities with the EU GDPR. However, there are some notable differences too.
In this post, we will look into some of the key highlights of the Brazilian data protection law.
What is LGPD?
The Brazilian General Data Protection Law, Lei Geral de Proteção de Dados (LGPD) was passed in 2018 and came into effect on September 18, 2020. It is a replacement of over 40 personal data governing statutes (both online and offline) with one legal/regulatory framework.
The objective of the law is to protect the fundamental rights and privacy of the people. It encourages economic and technological development and innovation.
It issued a National Data Protection Authority, Autoridad Nacional de Protección de Datos (ANPD) to supervise the enforcement of the regulation in Brazil. They formulate rules for good practices and governance for processing personal data.
‘Personal data’ under LGPD?
Personal data under LGPD is any information related to an identified or identifiable natural person. Examples of personal data include name, email address, and IP address. However, the LGPD does not specifically mention these examples. Hence, we can expect an amendment there.
Like GDPR, the LGPD also includes a special category of personal data, called ‘sensitive personal data.’ Sensitive personal data refers to racial or ethnic origin; religious conviction; political opinion; union affiliation or religious; philosophical or political organization; health or sexual life data; genetic or biometric data, related to a natural person.
Who should comply with LGPD?
The LGPD applies to any natural person or entity, irrespective of its location, if:
- the processing is carried out in Brazil;
- the entity offers goods and services or processes personal data of people located in Brazil; or
- the personal data of the person, regardless of their nationality or current location, was collected when they were in Brazil.
However, there are some exceptions. The LGPD does not apply when:
- The processing is carried out by a natural person exclusively for private and non-economic purposes;
- The personal data is processed solely for purposes, such as:
- journalistic and artistic; or
- The processing is carried exclusively for:
- public safety;
- national defense;
- state security; or
- criminal probe.
LGPD principles for processing activities
The law has laid down 10 principles that any processing activities must follow.
- Purpose: The processing activity must be carried out for legitimate, specific, explicit, and informed purposes to the data subject. You must not carry out any processing activity for anything outside of the original purpose is not lawful.
- Adequacy: The standard of processing activity must be accordant with the purpose informed to the data subject.
- Need: The processing of personal data must be limited to the minimum necessary for the defined purpose.
- Free access: The data subjects must have free and easy access to information about the processing activity.
- Data quality: the personal data must be kept accurate, clear, relevant, and updated, to fulfill the purpose of its processing.
- Transparency: information about the processing and the processing agents (controllers and processors) must be clear, accurate, and easily accessible.
- Security: The processing agents must use technical and administrative measures to protect data from unauthorized access or data breach.
- Prevention: The processing agents must adopt measures to prevent any damage data due to processing activity
- Non-discrimination: The personal data must not be processed for illicit or discriminatory reasons.
- Responsibility and accountability: the processing agent must demonstrate compliance with the law by adopting effective measures.
Lawful bases for processing data
The LGPD directs that the processing of personal data is only lawful under the following circumstances:
- Consent from the data subject
- Legal or regulatory obligation by the controller
- Necessary for the execution of public policies
- Required for studies by research body, with, wherever possible, data anonymization
- Contractual obligation, of which the data subject is a part of
- for the regular exercise of rights in the judicial, administrative, or arbitral proceeding
- For the vital interest of the data subject or third-arty
- To protect the health, especially in a procedure performed by health professionals, health services, or health authority
- The legitimate interest of the controller or third party, except when it interrupts the fundamental rights and freedom of the data subject
- For credit protection
Consent under LGPD
Consent under LGPD is similar to consent under GDPR.
Under the LGPD, consent must be “free, informed and unequivocal.”
The law has the following conditions for consent:
- There should be a separate clause in case the consent is given in writing.
- The controller is responsible to prove that consent was obtained per the provisions of the law.
- The processing of personal data through invalid or defective consent is illegal.
- Consent obtained for specified purposes does not mean generic authorizations for the processing of personal data.
- The data subject can revoke consent at any time, through a free and easy process.
- In case of any change of information related to rights or purpose of processing — obtained via consent — the data subjects can revoke their consent if they disagree with the changes.
- In the case of children under 12 years of age, prominent consent by at least one parent or legal guardian is mandatory.
- Consent is not mandatory for children’s data if it is necessary to contact the parent or legal guardian. However, the data must have been used only once and without storage or transfer to a third party.
Data subjects rights under LGPD
Art. 18 of the law grants the following rights to the data subjects, which the controller must provide, at any time and upon request:
- Confirmation of the existence of processing
- Access to data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or elimination of unnecessary or excessive data, or of any data not processed in compliance with the law
- Data portability to other service providers or suppliers per the ANPD regulations and observing industrial ethics
- Deletion of personal data processed with the consent of data subject
- Information on public and private entities with which the controller shares the personal data
- Information on the right to deny consent and its consequences
- Right to revoke consent
International data transfer
The international transfer of personal data is allowed in the following cases:
- The international organization or the country provides an adequate level of protection of the personal data;
- The controller can guarantee LGPD compliance, in the form of contractual clauses, corporate rules, or code of conducts;
- The explicit consent of data subject to data transfer;
- Legal obligations
- Vital interest of the data subject or third party;
- The ANPD authorizes the transfer;
- To fulfill an international cooperation agreement; or
- To enforce a public policy.
Data Protection Officer (DPO) under LGPD
The data controller must appoint a Data Protection Officer (DPO), whose identity and contact data must be publicly and clearly available, preferably on the controllers’ website.
The responsibilities of the DPO include:
- Accept complaints and communications from the data subjects, provide clarifications, and take measures
- Receive communications from the supervisory authority and take measures
- Instruct the employees and contractors on best practices to protect personal data
- Carry out any other duties established by the controller or in supplementary rules
Data Security and Incidents (breach)
The processing agents must adopt appropriate technical and organizational measures to protect data against unauthorized access or any form of improper or illegal treatment.
In the event of a data breach, the data controller must report to the ANPD and the data subjects. The controller must submit the report within a reasonable time (exact period not specified) and must include:
- Description of the nature of the affected personal data
- information about the affected data subjects
- information about the technical and security measures taken to protect the data
- the risks related to the incident
- the reasons for any delay in communicating with the ANPD
- the measures adopted or will be adopted to reverse or mitigate the damage caused by the incident
The ANPD will verify the severity of the breach and the measures taken. According to their verification, they can order the controller to alert the media. They may also order the controller to take other measures to mitigate the damage.
LGPD administrative sanctions
The ANPD may order strict actions against an organization in the event of violation or non-compliance.
It may levy a fine of 2% of an organization’s annual turnover in Brazil, up to 50 million Brazilian Reais (about US$9M), per violation. Other actions include warning, with a deadline to adopt corrective measures; daily fine; publicizing the violation; blocking the processing activity; or deleting the personal data that relates to the violation.
The LGPD has left many things unexplained or open to interpretation. Therefore, we can expect some amendments to the existing regulation.
There are not many differences from the GDPR. Here is a quick comparison of both the laws:
Cookie compliance under LGPD
The LGPD does not mention cookies even once like its European counterpart. However, if a website wants to comply with the law for using cookies, it can follow the GDPR standards, like:
- Consent before storing cookies
- Record consent for proof
- Granular consent option for cookies
- Option to withdraw consent at any time
- Provide cookie information in plain and simple language
- Cookie information must be easily accessible
CookieYes is a cookie consent solution for your website to comply with data protection laws like GDPR. It provides the provisions mentioned above and more. You can add a cookie consent banner to your website to get user consent. The customization features allow you to decide what information it must include and how it looks. You can also let the visitors decide their cookie preferences.
You can also log the users' consent you receive the banner for documentation purposes. It will help you to demonstrate proof of compliance for cookies, in case of an audit.
Sign up for free today!