Sign In


Data Protection Law is approved in Brazil

Data Protection and Cybersecurity; Telecommunications; Intellectual Property

On August 15, 2018, the Brazilian Data Protection Law (known in Portuguese as Lei Geral de Proteção de Dados – "LGPD"), which originated from Bill of Law No. 53/2018, was published in the Brazilian Official Gazette, regulating the use of personal data  in Brazil. Personal data is defined as information relating to an identified or identifiable person.

The LGPD significantly transformed the data protection system in Brazil and is in line with the recent European legislation (the General Data Protection Regulation – "GDPR"). The LGPD establishes detailed rules for the collection, use, processing and storage of personal data. It will affect all economic sectors, including the relationship between customers and suppliers of goods and services, employees and employers and other relationships in which personal data is collected, both in the digital and physical environment.

The main topics addressed in the LGPD are as follows:

Legal basis for data processing: The processing of personal data may only occur if based on one of the legal grounds contemplated in the LGPD. Such grounds include the processing of personal data upon the consent of the data subject for the purpose of compliance with legal or regulatory obligations, when necessary for the execution of an agreement or when necessary to meet the legitimate interest of the controller of the data or third parties. The legal grounds for processing personal data must be registered and documented.

Consent requirements: The LGPD imposes specific consent requirements for a specific purpose, including prior, free, informed and unequivocal manifestation of the data owner. The consent may be revoked at any time.

Sensitive data: The LGPD requires a specific legal basis for the processing of sensitive data, which includes health information and biometric or genetic data of the data subject.

The rights of data subjects: The LGPD introduces new rights for data subjects, including the right to obtain information regarding the processing of data, the right to access, to rectify and delete data, the right to data portability to another supplier of goods and services and the right to obtain the review of automated decisions.

Data Protection Officer: The LGPD requires that data users that acquire personal data to appoint a person to be in charge of handling personal data.

Data breach: Data breaches and security incidents must be reported to the data protection authority (still to be established) and, in some cases, to the affected data subjects.

Privacy by design: Data users will be required to adopt data protection measures upon the creation of any new technology or product.

Privacy Impact Assessment: The LGPD determines that a privacy impact report be prepared in certain cases.

International data transfer: An international transfer of data is permitted solely in those cases provided for in the LGPD, including the transfer to countries with an adequate level of protection or through the use of standard contractual clauses, global corporate standards, seals, certificates and codes of conduct, which must be approved by the data protection authority (still to be established).

Administrative sanctions: Non-compliance with the rules in the LGPD may result in a warning, public reprimand, deletion of the personal data or blocking of data processing activities. Furthermore, a company may be subject to a fine of up to 2% (two per cent.) of its gross sales, or the gross sales of its economic group or conglomerate in Brazil, in the preceding fiscal year, excluding taxes, but limited to a total of R$50,000,000.00 (fifty million reais) per violation.

Vetoes: The two main vetoes by President Michel Temer deal with the creation of the National Data Protection Authority (Autoridade Nacional de Proteção de Dados), which would be the agency responsible for supervising, implementing and enforcing compliance with the LGPD, and the mandatory suspension and prohibition from undertaking data processing activities by whomever fails to comply with the provisions in the LGPD.

The obligations established by the LGPD will become effective within 18 months from its official publication.

It is important to highlight that a number of formal and material errors were identified in the vetoes by President Michel Temer after the LGPD was approved. As a result, a new version of the LGPD will be published in the Official Gazette.

See our recent publications