Brazilian General Data Protection Law (LGPD) Guide
What is the LGPD, does it affect you, and how do you achieve LGPD compliance? We break it down in easy, understandable terms in the sections below.
The Brazilian General Data Protection Law, the Lei Geral de Proteção de Dados Pessoais (LGPD) can be considered as Brazil’s answer to the GDPR – with the Brazilian law aligning with the European Regulation in many ways, while differing in others. It’s intended to replace or supplement its current dispersed legal landscape (of over 40 federal sector-based norms) with one main regulatory framework.
The LGPD aims at creating a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors.
In general, the LGPD requires that you only process personal data for legitimate, specific, explicit and clearly communicated purposes. As with the GDPR, principles of transparency and data minimization (only use the data you need) apply.
Despite a previous proposal to delay the enforcement date of the LGPD to December, after a vote by the Senate, the delay suggestion was removed from the conversion Bill (PLV) 34/2020. Brazil’s President has since sanctioned the Bill, confirming the LGPD’s enforcement date as September 18th, 2020. In this context, a decree was issued to create the National Data Protection Authority called the Autoridad Nacional de Protección de Datos (ANPD).
The Brazilian DPA (ANPD) issued an updated version of its “Guidance for Personal Data Processing Agents and Data Protection Officers,” clarifying concepts under the LGPD and previous guidance. Read the updates here.
For example, an internet company may collect user information via their website and store it using a 3rd party cloud service. In this scenario, the internet company is the data controller and the organization running the cloud service is the data processor.
As with the GDPR, the LGPD has a territorial scope that extends outside of Brazil. This means that you may have to comply even if you or your business are not based in Brazil. In practical terms, the LGPD applies to you if:
In general terms, you can likely assume that the LGPD will apply to you if you either process the personal data of people located in Brazil or process the personal data of anyone, regardless of nationality, within the Brazilian territory.
Some exceptions of applicability of the LGPD exist, even where the data controller falls within the territorial scope of the law. Those exceptions are listed below. The LGPD does not apply if:
The LGPD uses a broad definition of personal data. As with the GDPR, personal data within the context of the LGPD is any data that can be linked to an identified or identifiable individual. All in all, it is considered to be personal data any data that relates to an identified or identifiable individual. This includes pieces of data that can be combined with other information to identify any individual.
Truly anonymized data (data that cannot directly or indirectly lead, within reasonable means, to the identification of a person) falls outside the scope of the LGPD. However, if the anonymisation process can be reversed or if the data is used for behavioral profiling purposes then the LGPD will still apply.
Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic & biometric data, web data such as IP addresses, personal email addresses, political opinions, and sexual orientation data.
Examples of non-personal data might include company registration numbers, generic company email addresses such as firstname.lastname@example.org, and anonymized data.
The LGPD identifies “sensitive” data as being apart from “regular” personal data and applies special rules to this category of personal data. Sensitive data is any data related to racial or ethnic origin, religious belief, political opinion, health or sexual life data; or data that allows the unequivocal and persistent identification of the user, such as genetic or biometric data.
Since the processing of sensitive data is more likely to expose the user to risk of discrimination, sensitive data must be processed with extra layers of security with very specific legal bases for processing in place.
In general, you can only process sensitive data if the user (or their parent/legal guardian if the person is a minor) has given consent for the particular processing. Some exceptions apply.
💡 Tip: you can use the floating menu at the left to jump to the sections you want to read next (e.g. “how to comply”)
Key concepts of the LGPD
The principles for processing data are very similar to those of the GDPR. In particular:
Under the LGPD data can only be processed if there’s at least one legal basis for doing so.
The legal bases are:
*Not included as a legal basis under the GDPR.
Since consent is such a critical topic and often quite relevant when it comes to online processing, we’ll take a look at the specific requirements for consent under the LGPD below.
Under the LGPD, consent must be “free, informed and unambiguous”. This means that the consent must not be coerced, the consenting action required of the user should be clear and users must be adequately informed before granting consent. Consent must also be provided for a specific purpose and it must always be possible for users to revoke/ withdraw consent.
Under the LGPD, consent must be free, informed and unambigious.
In regards to consent for children under 12, you are required to get specific and prominent consent from a parent or guardian. Consent can be given by a 13 – 18* year old provided that the processing of their personal data is done in their best interest. You must make every reasonable effort (using available technology) to verify that the person giving consent actually holds parental responsibility for the child.
*Note: In Brazil, the recognized age for full contractual capacity is 18.
Publicly available data
Pre-LGPD legislation allowed companies to collect and process personal data made publicly available over the internet or any public source for any reason, however, under the LGPD this is no longer allowed.
Under the LGPD guidelines, public personal data may only be collected and used in two ways:
Note: Due to the above, “scraping” or otherwise collecting publicly-available data for marketing, etc. will likely be limited under the LGPD.
When it comes to the processing of sensitive data, consent can be avoided only if the processing is absolutely necessary for:
Under the LGPD, exceptions to the consent requirement for processing the data of children apply if the processing is needed in order to contact the parents or legal guardians or to protect the child. The data can only be used once and must not be stored, must not be shared with third-parties without the proper consent.
Under the LGPD, users (“data subjects”) have the right to:
If you need to transfer LGPD protected data outside of Brazil, there are some guidelines to keep in mind. The LGPD allows the cross-border transfer of personal data if an adequate level of protection of the personal data is provided.
In practical terms, this means that the transfer is allowed if the receiving country is considered to have a legislation that provides for an adequate level of protection. The assessment of the adequacy level of the receiving country or international organization is made by the Data Protection Authority (DPA).
If the adequacy level is not met, it may still be possible to transfer the data abroad where one of the following conditions are met:
Under the LGPD, both data controllers and processors must maintain records of their personal data processing activities – especially when the processing is based on legitimate interest. All controllers and processors – regardless of size, frequency of processing or type of data processed – must meet this record-keeping obligation. However, exemptions may be granted by the Data Protection Authority.
All controllers and processors must meet this record-keeping obligation.
In essence, a data protection impact assessment (DPIA) is a process used to help the data controller comply with data privacy rules – ensuring that the main principles are effectively met.
Under the LGPD, the DPIA documentation generally contains the description of the activities of processing personal data that could generate risks to civil rights and liberties, as well as measures, safeguards and mechanisms to mitigate that risk.
The DPIA document must at least include:
The law does not explicitly state when a DPIA is needed, but the Data Protection Authority can request that a DPIA be performed and provided by the data controller at any time.
Under the LGPD, you, the data controller, must appoint a Data Protection Officer (DPO). There are no exemptions to this rule. DPOs are individuals who are responsible for the following:
Under the LGPD data controllers, processors or any other agent involved in the processing of the personal data must implement security, technical and administrative measures in order to protect personal data from unauthorised accesses and accidental or unlawful destruction, loss, alteration, communication or any kind of illegitimate processing.
Any security incident that could create risk or damage to users must be communicated within a reasonable timeframe to the DPA.
The communication must at least include:
Upon notification of the breach, the DPA may order the data controller to alert the media, or take other steps to mitigate the damaging effects of the incident.
As it is with the GDPR, transparency is a core principle of the LGPD. Under the LGPD users have the right to facilitated access to information about the processing of their personal data – which must be made available in a clear, adequate, and notable manner.
These disclosures include:
The LGPD states that both data controllers and processors may put into place internal processes and policies that ensure compliance with the law. This includes a privacy governance program and measures that show its effectiveness.
The governance program should, as a minimum:
The data controller must be able to demonstrate the effectiveness of their privacy governance program when needed – especially if requested to do so by the national authority.
The legal consequences for non-compliance can include fines of 2% of a company’s annual turnover, up to 50 million Brazilian reais (currently roughly €8M or US$9M), per violation. But perhaps equally as concerning are the other potential corrective actions that may be taken against those who are found to be in violation.
The legal consequences for non-compliance can include fines of 2% of a company’s annual turnover, up to BRL 50 million (€8M)
Under the LGPD, the Brazilian Data Protection Authority has corrective powers which include issuing warnings and fines, publicizing of the violation, and blocking or deleting the processing activities or personal data to which the infraction refers – this means that if the infraction occurred in regards to email address collection, the offending data controller could risk losing the entire associated email list. The Brazilian DPA may also demand that the database related to the incident be partially suspended for up to 6 months, potentially halting any other activities that might make use of said database.
Additionally, like the GDPR, the LGPD allows users with a cause of action to seek civil damages (pecuniary or moral) for violation of the privacy law.
Identify (and document) your legal bases for processing personal data. Data controllers must define a legal basis for each processing activity and document the legal basis in their records of processing.
Maintain a record of data processing activity (required under Art. 37). While the LGPD does not include specific requirements for the form or content of these records, however, they will likely be similar to the register of processing required under Art. 30 of the GDPR. iubenda makes creating & maintaining data processing records easy. Read more here.
Collect and maintain valid proof of consent (required under Art. 8). As it is with the GDPR, under the LGPD the burden of proof to demonstrate valid consent lies with you, the data controller. iubenda makes creating & maintaining consent records incredibly easy. Read more here.
Appoint a data protection officer (DPO) – required under Art. 41. Under the LGPD, it’s mandatory that all data controllers appoint a DPO, who will then be tasked with the activities mentioned here. Currently, the law does not require the DPO to be physically located in Brazil, and also leaves the possibility open for controllers to appoint third-party individual consultants as their DPO.
Develop internal policies and procedures for honoring the rights of users and responding to related user requests. Data controllers must reasonably respond to data subjects’ requests to exercise their rights under the LGPD, including access, correction, anonymization, deletion and portability.
Implement a security protocol. Both controllers and processors must adopt security measures designed to safeguard and protect personal data. The DPA may provide guidelines for minimum technical standards in the future. Other legal frameworks under Brazilian law provide additional guidance related to existing standards, such as Brazil’s Civil Rights Framework for the Internet also known as Marco Civil da Internet (which settles principles, guarantees, rights, and duties for the users of the web in Brazil).
Develop an incident response and remediation plan (in accordance with Art.50). Controllers and processors must implement an incident response plan that ensures the controller is able to comply with the mandatory incident reporting requirements (see below).
If a data breach poses significant risk or damage to users, you must notify the DPA and users (in accordance with Art.50).
Perform data protection impact assessments (DPIAs). DPIAs may be mandatory in situations characterized as risky or, at the request of the authority, where the processing of data is based on legitimate interest.
Implement privacy by design and default. Under the LGPD, it’s mandatory to put measures in place by default, which guarantee the protection of personal data. In practical terms, the default settings should be those which guarantee the highest protection level.
Comply with cross-border data transfer requirements. Ensure that you’re aware of any applicable limits on cross – border data transfers and comply with the relevant provisions. More details here.
In terms of compliance, one of the fundamental steps is ensuring that your documents inline with legal requirements. At iubenda, we take a comprehensive approach to data law compliance. We build solutions with the strictest regulations in mind, giving you full options to customize as needed. We help you with meeting your legal obligations, reduce your risk of litigation and protect your customers —building trust and credibility.
Here’s what you need to get started with full compliance:
All privacy policies generated with iubenda allow you to be compliant with the LGPD, as they contain the option to easily apply the legal standards defined by the LGPD to Brazilian users.
Our solution makes it easy for you to meet LGPD requirements, with one-click activation for:
For more information on privacy policies click here.
Meeting LGPD regulations can be a technical challenge to implement in practical terms. This is especially true for internal privacy management.
Our solution helps you to easily record and manage all your data processing activities so that you can easily comply with mandatory LGPD requirements and meet your legal obligations. It allows you to create records of processing activity: add processing activities from 1700+ pre-made options, divide them by area (sub-divisions within which data processing activities are the same), assign processors and other member roles, and to document legal bases and other LGPD-required records.
In order to comply with privacy laws such as the LGPD and GDPR, you must keep proof of consent in order to demonstrate that consent was collected in a legally compliant way.
Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Solution within your dashboard and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.
💡 If you operate in Brazil or have Brazilian users, it’s recommended to display a cookie banner and to ask your users’ consent before installing any non-technical cookies.
Our Cookie Solution is easy to generate! Plus, you can customize your cookie banner, seamlessly collect consent and implement prior blocking with asynchronous re-activation.
Please note that from time to time, laws are amended and updated. It’s therefore important to ensure that your policies meet the latest requirements. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.