Sign In


Data Protection Bill is approved in Brazil

Data Protection and Cybersecurity

On July 10, 2018, the Brazilian Senate approved the Data Protection Bill of Law (PLC No. 53/2018 known in Portuguese as Projeto de Lei Geral de Proteção de Dados – “LGPD”), which regulates the use of personal data by entities in Brazil. Personal data is defined as information relating to an identified or identifiable person. Upon the consolidation of the final draft of the LGPD, it will be forwarded to the President of Brazil for approval, which should occur within the next 15 business days.

The LGPD significantly transformed the data protection system in Brazil and is in line with the recent European legislation (the General Data Protection Regulation – “GDPR”). The LGPD establishes detailed rules for the collection, use, processing and storage of personal data and will affect all economic sectors, including the relationship between customers and suppliers of goods and services, employees and employers and other relationships in which personal data is collected, both in the digital and physical environment.

The main topics addressed in the LGPD are, as follows:

  • Data Protection Authority: The LGPD creates the National Data Protection Authority (Autoridade Nacional de Proteção de Dados – “ANPD”), an agency subordinated to the Ministry of Justice, which will be responsible for regulating, supervising and enforcing sanctions in the event of non-compliance with data protection legislation.
  • Lawful Basis for Data Treatment: The processing of personal data may only occur if based on one of the legal grounds provided for in the LGPD. Such grounds include the processing of personal data upon the consent of the data subject for the purpose of compliance with legal or regulatory obligations, when necessary for the execution of an agreement or when necessary to meet the legitimate interest of the controller of the data or third parties. The legal grounds for processing personal data must be registered and documented.
  • Consent requirements: The LGPD imposes specific consent requirements, which must consist of a prior, free, informed and unequivocal manifestation of the data owner, for a specific purpose. Also, the consent may be revoked at any time.
  • Sensitive data: The LGPD requires a specific legal basis for the processing of sensitive data, which includes health information and biometric and/or genetic data of the data subject.
  • The rights of data subjects: The LGPD introduces new rights for data subjects, including the right to obtain information regarding the processing of data, the right to access, to rectify and delete data, the right to data portability to another supplier of goods and services and the right to obtain the review of automated decisions.
  • Data Protection Officer: The LGPD requires that entities appoint a person to be in charge of handling personal data, and ANPD may detail or exempt certain data controllers from this obligation.
  • Data breach: Data breaches and security incidents must be reported to ANPD and, in some cases, to the affected data subjects.
  • Privacy by design: Entities will be required to adopt data protection measures upon the creation of any new technology or product.
  • Privacy Impact Assessment: ANPD may require a privacy impact report in certain cases.
  • International data transfer: An international transfer of data is permitted solely in the cases provided for in the LGPD, which include the transfer to countries with an adequate level of protection (to be determined by the ANPD) or through the use of standard contractual clauses, global corporate standards, seals, certificates and codes of conduct approved by ANPD.
  • Administrative sanctions: Non-compliance with the LGPD rules may result in a warning, mandatory disclosure of the data incident, deletion of personal data, blocking, suspension and/or partial or total prohibition from the exercise of activities relating to the processing of personal data. Furthermore, entities may be subject to a fine of up to 2% (two per cent.) of its gross sales, or those of the economic group or conglomerate in Brazil, in its preceding fiscal year, excluding taxes but limited to a total of R$ 50,000,000.00 (fifty million reais) per violation.

The obligations established by the LGPD will become effective within 18 months from the publication of the LGPD, by which date entities will have to adapt their data processing activities to these new rules.