What is LGPD?

LGPD (Lei Geral de Protecao de Dados) is the general data protection law of Brazil. It is the most comprehensive data privacy law that has ever been in force in Brazil, imposing a number of obligations for businesses as well as granting rights to internet users.

The LGPD is considered to be the Brazil response to the GDPR. The landmark EU data protection law has raised the bar for online privacy internationally, and many governments worldwide have followed their example. Read more about the key similarities and differences between LGPD vs. GDPR.

As a result, the LGPD was signed into law in 2019. It came into force in May 2021, giving companies a 2-year period to adapt to the significant changes it brought. 

The enforcement has begun in August 2021. This means that companies and individuals to whom this law applies have to get familiar with the obligations arising from it and comply. Otherwise, they may be fined.

Why LGPD?

Before the LGPD, Brazil had no comprehensive data privacy law protecting the rights and freedoms of individuals. Brazil needed a law to allow internet users to keep their personal data private unless they consent to share it or if there was some other legally prescribed reason for the collection or processing of their data in their own or in the public interest.

Moreover, the GDPR caused a series of adequacy decisions for free international data transfers between the EU and third countries from all around the world. Brazil is not on that list yet, which is an obstacle for Brazilian businesses serving EU customers. However, passing the LGPD is a step in the right direction toward an adequacy decision.

Take a look at the 2022 LGPD updates.

Does LGPD Apply To Us?

LGPD applies to businesses and individuals processing personal data, where:

• Personal data processing has been carried out in Brazil
• The processing activity is carried out anywhere in the world for the purpose of offering or supplying goods or services or the processing of data of individuals located in Brazil, or
• The personal data have been collected in Brazil.

Simply put, this means that the LGPD applies to you if:

• You are a Brazilian business, or
• You collect and process the personal data of Brazilian citizens.

The Brazil privacy law does not make any difference between small, medium, and large companies. It applies to all as long as they meet the above-mentioned criteria for applicability.

What Are The Exceptions To LGPD Applicability?

There are some exceptions when the LGPD does not apply. Accordingly, if the processing falls under any of the below-listed exceptions, the LGPD will not apply: 

• the processing of the personal data is done by a natural person, solely and exclusively for private and non-commercial purposes; or
• the personal data is processed exclusively for one of the following purposes:
  - journalistic or artistic expression,
  - academic research,
  - public safety,
  - national defense and security,
  - investigation and prosecution of criminal offenses.
  

What Do We Need For LGPD Brazil Compliance?

LGPD Brazil requires a proactive approach from companies and individuals to whom it applies. Therefore, you are required to meet all the LGPD requirements in order to comply with the law.

At a minimum, you need to:

• Have an LGPD compliant privacy policy
• Obtain users’ consent before using cookies and tracking technologies
• Comply with data subject requests submitted by users
• Notify authorities and users in the case of a data breach
• Transfer data internationally as prescribed with the LGPD
• Appoint a Data Protection Officer

Depending on the circumstances in which your business operates, you may need to comply with other obligations as well.

What Are The LGPD Penalties For Non-Compliance?

LGPD prescribes serious penalties for businesses that do not comply with the law.

Brazilian National Data Protection Authority (ANPD) can issue any of the following penalties:

• Warning, along with corrective measures and a deadline to implement them
• Fine of up to 2% of annual turnover excluding taxes limited to 50 Million Brazilian Reals
• Daily fine limited to a total of 50 Million Brazilian Reals
• Obligatory publishing of the violation
• Deletion or blocking of personal data to which the violation refers.

ANPD can issue any of the following penalties in addition to another one:

• Partial suspension of the operation of the database to which the violation refers for maximum of 6 months, with the possibility of extension of another 6 months or until the controller cures the violation
• Suspension of all processing activities for 6 months with the possibility of extension for another 6 months
• Partial or total prohibition of processing activities.

If the violation leads to damages for the data subject, they can also initiate a lawsuit and get damages compensation in court.

Who Enforces The Brazil Privacy Law?

The LGPD Brazil established the ANPD to overlook and enforce the LGPD. It is the official government body that investigates violations of the LGPD and issues penalties accordingly.

When enforcing the law and before issuing the penalty, ANPD takes into account:

• How serious the violation is
• The good faith of the offender, if any
• The economic condition of the violator, particularly the total revenue
• The benefits obtained from the violation
• How long and how often has the violation occurred
• The cooperation by the violator
• The technical and organizational measures for prevention of damages, if any, and
• Prompt implementation of corrective measures upon becoming aware of the violation.

Courts in Brazil are competent when the data subject seeks damages recovery for the violation.

What Is Personal Data Under The LGPD?

LGPD defines personal data as any information related to an identified or identifiable person. The nature of the format of the information does not matter. As long as it can identify someone, it is personal data.

This includes information that can identify a person directly, such as personal name, email address, ID number, phone number, etc.

It also includes information that in combination with other information can be related to a specific person. This includes purchase behavior, browsing behavior, etc.

It is important to note that irreversibly anonymized data is not personal data. If it cannot be reversed, it cannot be related to a person.

Pseudonymized or reversibly anonymized data, on the other hand, can be related to a person and therefore is considered personal data.

What Is Sensitive Personal Data Under The LGPD Brazil?

LGPD clearly defines the following categories as sensitive personal data:

• Racial or ethnic origin
• Religious beliefs
• Political opinions
• Affiliation to a union or a religious, philosophical, or political organization
• Health or sexual life data, or
• Genetic or biometric data.

Processing sensitive personal data brings additional duties in some cases.

What Are Controllers And Operators Under The LGPD?

A controller is a person who decides why, what, and how to collect personal data from users.

An operator is a person who processes data on behalf of the controller.

If you run a SAAS company or an ecommerce store and you collect email addresses from users, you are the data controller of their email addresses.

Convertkit, Drip, Mailchimp, or another email provider is your operator. They process that data for you by collecting, segmenting it, automating email campaigns, and so on.

The operator processes personal data only upon written instructions by the controller. Most often it is in the form of a data processing agreement as part of the Terms of Service. Sometimes it is a separate contract. Anyway, the operator must not process data without such instructions.

Operators can further hire subcontractors for parts of their processes. For example, many of them use servers of companies such as AWS where they store and process your data. 

What Are The Brazil Privacy Law Principles For Data Processing?

LGPD is based on ten data processing principles. Controllers and operators must organize data processing in a way that complies with these principles.

They include:

1. Purpose. There must be a purpose behind every single processing activity. You can process data for analytics, statistics, marketing, or other purposes, but you must not process data for no purpose.
2. Adequacy. The data your process must be adequate for the processing purpose for which the user has been informed at the moment of collection. If you told the user that you need their email address for sending them a newsletter, that’s the only purpose you can process the email address for.
3. Necessity. The data processing has to be necessary for the purpose. In addition, you need to collect and process only the minimum necessary amount of data necessary for your purposes.
4. Free access. You have to allow users to access the data that you control.
5. Data quality. Data needs to be accurate and up-to-date.
6. Transparency. You need to provide users with information about data collection and processing, which in practice means providing them with an easy-to-read privacy policy. 
7. Security. Data must be protected from breaches and other security risks.
8. Prevention. Controllers and operators need to prevent damages before they occur.
9. Non-discrimination. The processing must not result in discriminating against users in any way.
10. Responsibility and accountability. LGPD holds you responsible and accountable, which means that you need to be able to prove your compliance to authorities and users at any time.
    

What Are The Legal Bases For Lawfully Processing Personal Data Under The LGPD?

In order to lawfully process personal data, there must be valid legal bases for processing. LGPD requires that personal data can only be processed based on at least of the following legal bases:

1. Consent of the data subject. The data subject has to give consent to the processing of his/her personal data. 

2. Compliance with the legal or regulatory obligations. Processing can be based on legal and regulatory obligations which the controller has to comply with. 

3. Execution of public policies. Processing is done by public authorities in fulfillment of their public purpose, in benefit of the public interest, for the purpose of performing legal capabilities or discharging legal attributions of the public service. 

4. Studies by research entities. Personal data is processed exclusively within the research entity and strictly for the purpose of carrying out studies and research. The research entity must ensure anonymization of personal data, where possible. 

5. Execution of a contract. Processing is necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject.

6. Exercising rights in judicial, administrative, or arbitral proceedings. Processing is carried out for the regular exercise of rights in judicial, administrative, and arbitration proceedings. 

7. Protection of life or physical safety. Processing is performed for the purposes of protecting the life or physical safety of the data subject or a third party. 

8. Protection of health. Personal data is processed in a procedure performed by health professionals, health services, or the health authority

9. Legitimate interests of the controller or third party. Personal data is processed based on the legitimate interests of the controller or a third party provided that the rights and liberties of the data subject do not override that of the controller of the third party.

10. For the protection of credit. This legal basis mainly concerns financial institutions and allows the processing of personal data for the protection of credit as provided by specific legislation.

What Is The LGPD Privacy Policy?

An LGPD privacy policy is the document that helps you meet the transparency requirement, i.e. to inform the users about your privacy practices. The privacy policy needs to contain certain elements to be compliant. These elements are:

• Identity and contact information of the controller, i.e. your identity
• Purpose of processing
• What types of data is collected and processed
• Type and duration of processing
• With whom data is shared, i.e. the operators, and
• Data subject rights.

These are only the essential elements for compliance. You are free to add more if you want to increase your transparency, but it is not obligatory.

However, if any of these elements is missing from the privacy policy, it won’t be LGPD-compliant.

Do We Need To Obtain Users’ Consent For The Use Of Cookies According To LGPD Brazil?

Yes, you need users’ prior consent before the collection of their personal data. And you have to request and obtain it in a specific way to be compliant with the law.

The consent needs to be:

• Given in writing. This also includes electronic means, such as clicking an ACCEPT COOKIES button.
• Informed. You need to inform users about your privacy practices before or at the moment of asking for consent. You can do it by providing a link to your privacy policy on your cookie banner. That way, you’ll provide them with the necessary information at the moment of collection.
• Specific. You need specific consent for each specific processing purpose. It means separate consent for analytics, marketing, preferences, or another purpose. General consent is not lawful.
• Easily withdrawn. You have to provide users an opportunity to withdraw their previously given consent.

If you process children’s data, you need consent from the parents. If the children are under 13 years of age, you need parents’ consent in any case. If they are 13 to 17 years old, you need parents’ consent unless the processing is not in the child’s best interest.

What Are The LGPD Data Subject Rights?

LGPD empowers users with data subject rights to let them hold controllers and operators accountable and responsible.

The LGPD data subject rights include the right to:

• Confirmation of the existence of processing
• Access own personal data
• Correction of incomplete, inaccurate, or outdated data
• Object to processing
• Erasure of data (the right to be forgotten)
• Anonymization, blocking, or deletion of unnecessary, excessive, or data processed in violation of the LGPD
• Data portability
• Know with whom data has been shared
• Information about the possibility to refuse giving consent for processing and the consequences for doing so
• Withdraw consent, and
• Review decisions based on automatic processing.
  

What Do We Need To Do When A User Submits A Data Subject Request?

Users can submit a data subject request to exercise their data subject rights. When a user reaches out to you with a request, you must fulfill it as soon as possible. There is no hard deadline to respond, but you need to do it in a reasonable time.

When you receive the request, first you need to confirm the user identity because you don’t want to allow access to data to the wrong person (that would be a data breach).

The response to the request has to be free of charge and as simple as possible. The user should be able to understand it.

Do We Need A Data Protection Officer (DPO)?

Yes, you need a Data Protection Officer. Unlike the GDPR, the LGPD obliges every business to have appointed a DPO.

The DPO takes care of:

• accepting complaints and communications from data subjects, providing explanations, and adopting measures; 
• receiving communications from the national authority and adopting measures; 
• orienting entity’s employees and contractors regarding practices to be taken in relation to personal data protection; and 
• carrying out other duties set forth by the ANPD.
  

Can We Transfer Personal Data Outside Of Brazil Freely?

Data transfers within Brazil are free, but outside of Brazil are not and are subject to legal requirements.

A data transfer occurs when:

• The controller collects personal data in Brazil and stores it abroad
• The controller shares personal data with operators located abroad, which requires data to be transferred abroad for processing purposes.

However, LGPD allows you to transfer personal data abroad in the following cases:

• The ANPD authorizes the transfer
• The transfer is made according to an international agreement between Brazil and the other country
• The data is transferred in a country or organization that provide a sufficient level of data protection according to the LGPD standards
• The controller provides data protection guarantees (such as standard contract clauses)
• The transfer is necessary for international legal cooperation of intelligence or prosecution bodies
• The transfer is necessary for the protection of life or safety of the data subject or third party
• The data subject has given explicit, informed, and specific consent for the transfer
• It is necessary for the execution of a contract
• For the implementation of public policies or similar purposes
• For compliance purposes of the controller.
  

What Should We Do In The Case Of A Data Breach?

LGPD obliges businesses to implement technical, organizational, and administrative measures to prevent data breaches.

When such measures do not help and a breach occurs anyway, LGPD requires businesses to investigate the case and if it poses a risk or causes significant damage to users, to inform users and authorities as soon as possible.

There is no hard deadline for informing users and authorities about the breach, but the sooner you do it, the better.

The report should contain details about the incident, such as categories of data affected, the measures taken to protect the data and mitigate the breach, the reasons for the delay of the report (if any), and others.

You can inform them by any means of communication.

How Do You Compare GDPR V. LGPD?

LGPD was made to follow the example of the GDPR, therefore the GDPR v. LGPD comparison shows many similarities between the two laws.

Similarities include:

• Required privacy policy
• Required legal basis for processing
• Required prior consent for the use of cookies
• Required written instructions for data processing
• Data subject rights
• Limitations to international data transfers
• Data breach notification requirements
• Required proactive approach to prevent breaches, and others.

On the other hand, there are certain differences, such as:

• Different requirements for obtaining consent
• No deadlines for responding to data subject requests
• No deadlines for data breach notifications, and others.

In general, those who comply with the GDPR will have no hard time complying with the LGPD as well. However, compliance with the GDPR does not mean compliance with the LGPD and vice versa. You still have work to do for LGPD compliance.

How Do You Compare LGPD V. CCPA?

Comparing LGPD v. CCPA clearly shows that these two laws have significantly different approaches in data protection.

These differences include:

• LGPD takes the opt-in approach to data processing, while CCPA takes the opt-out approach
• LGDP focuses on the protection of the personal data, while CCPA focuses on the protection of the consumer
• CCPA has no data breach notification rules
• CCPA does not limit international data transfers
• CCPA does not impose heavy fines and other penalties.

As a result, compliance with the two laws at once requires two different approaches. Compliance with one of them does not make you compliant with the other one.

Is There LGPD Compliance Software We Could Use To Make Our Business Compliant?

Of course. Secure Privacy provides businesses with LGPD compliance software to seamlessly meet the requirements prescribed by the law.

It allows you to:

• Request consent in a lawful way
• Keep records of consents
• Automate cookie-blocking
• Generate an LGPD-compliant privacy policy
• Receive and respond to data subject requests.

Download your free LGPD e-book and have it delivered directly into your inbox.