Iubenda logo

Documentation

Table of Contents

What is LGPD and how do you become compliant?

Brazilian General Data Protection Law (LGPD) Guide

What is the LGPD, does it affect you, and how do you achieve LGPD compliance? We break it down in easy, understandable terms in the sections below.

In short

What is the LGPD and what does it require you to do?

The Brazilian General Data Protection Law, the Lei Geral de Proteção de Dados Pessoais (LGPD) can be considered as Brazil’s answer to the GDPR – with the Brazilian law aligning with the European Regulation in many ways, while differing in others. It’s intended to replace or supplement its current dispersed legal landscape (of over 40 federal sector-based norms) with one main regulatory framework.

The LGPD aims at creating a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors.

In general, the LGPD requires that you only process personal data for legitimate, specific, explicit and clearly communicated purposes. As with the GDPR, principles of transparency and data minimalization (only use the data you need) apply.

The enforcement date of the LGPD is currently uncertain as parliament has until August 27th to pass an order to delay the LGPD’s entry into force. If the order is not passed by that date the LGPD will retroactively come into force on August 16th, 2020.

Special definitions used below
  • The term “user” here means a natural person whose personal data is processed by a controller or processor (known formally as the holder or data subject).
  • The term “data controller” means any natural or legal person, whether public or private, involved in determining the purpose and ways of processing the personal data.
  • The term “data processor” or “operator” means any person or legal entity involved in processing personal data on behalf of the controller.
  • The term Data Protection Authority (DPA) within this document refers to the Brazilian Data Protection Authority (ANPD)

For example, an internet company may collect user information via their website and store it using a 3rd party cloud service. In this scenario, the internet company is the data controller and the organization running the cloud service is the data processor.

Where does the LGPD apply? (Territorial scope of the LGPD)

As with the GDPR, the LGPD has a territorial scope that extends outside of Brazil. This means that you may have to comply even if you or your business are not based in Brazil. In practical terms, the LGPD applies to you if:

  • your data processing activities are carried out in Brazil (e.g. you use servers based in Brazil);
  • you offer or supply goods or services to persons located in Brazil, regardless of their nationality; or
  • you process data which refer to individuals located in Brazil (even if the person was only in Brazil at the time of the collection of the data and has since changed locations).

In general terms, you can likely assume that the LGPD will apply to you if you either process the personal data of people located in Brazil or process the personal data of anyone, regardless of nationality, within the Brazilian territory.

Exceptions of applicability

Some exceptions of applicability of the LGPD exist, even where the data controller falls within the territorial scope of the law. Those exceptions are listed below. The LGPD does not apply if:

  • the processing of the personal data is carried out by a natural person, solely and exclusively for private, non-commercial purposes; or
  • the personal data are processed solely for one of the following purposes:
    • journalistic or artistic expression,
    • academic research,
    • public safety,
    • national defence and security,
    • investigation and prosecution of criminal offences.

What is “Personal Data” under the LGPD?

The LGPD uses a broad definition of personal data. As with the GDPR, personal data within the context of the LGPD is any data that can be linked to an identified or identifiable individual. All in all, it is considered to be personal data any data that relates to an identified or identifiable individual. This includes pieces of data that can be combined with other information to identify any individual.

What about the LGPD and Anonymized data?

Truly anonymized data (data that cannot directly or indirectly lead, within reasonable means, to the identification of a person) falls outside the scope of the LGPD. However, if the anonymisation process can be reversed or if the data is used for behavioral profiling purposes then the LGPD will still apply.

Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic & biometric data, web data such as IP addresses, personal email addresses, political opinions, and sexual orientation data.
Examples of non-personal data might include company registration numbers, generic company email addresses such as info@company.com, and anonymized data.

Special note on sensitive data under the LGPD

The LGPD identifies “sensitive” data as being apart from “regular” personal data and applies special rules to this category of personal data. Sensitive data is any data related to racial or ethnic origin, religious belief, political opinion, health or sexual life data; or data that allows the unequivocal and persistent identification of the user, such as genetic or biometric data.

Since the processing of sensitive data is more likely to expose the user to risk of discrimination, sensitive data must be processed with extra layers of security with very specific legal bases for processing in place.

In general, you can only process sensitive data if the user (or their parent/legal guardian if the person is a minor) has given consent for the particular processing. Some exceptions apply.

💡 Tip: you can use the floating menu at the left to jump to the sections you want to read next (e.g. “how to comply”)

MAIN LGPD REQUIREMENTS AND HOW TO COMPLY WITH THE LGPD

Key concepts of the LGPD

Principles of Processing

The principles for processing data are very similar to those of the GDPR. In particular:

  • There must be a purpose for processing. This means that any data processing activity must be carried out for legitimate, specific, explicit, and clearly communicated purposes – you must not do any additional processing which is not in line with the communicated original purposes.
  • Adequacy. Both the way of processing data, and processed data itself, must be justifiably in line with the purposes of processing
  • Purpose limitation. This is similar to the concept of data minimalization under the GDPR and simply means you must only process data that is necessary for the fulfillment of your stated purposes of processing.
  • Freedom in exercising rights and free access to information. Users must be able to freely exercise their rights under the LGPD and have unencumbered, easy access to any information about the processing of their personal data – free of charge.
  • Data integrity/quality. You, the data controller, must ensure the accuracy of the data processed and keep it updated and relevant, in accordance with the purpose for processing it.
  • Transparency. Information about your data processing must be clear, accurate and easily available to users. Users must also be able to access information about the third-parties that their data is shared with.
  • Security. Both the data controller and any processors (operators) must be sure to have technical and organizational measures in place that protect personal data from unauthorized access, accidental or unlawful destruction, loss, alteration and unauthorized communication or dissemination.
  • Prevention. It’s the responsibility of both the data controller and the processor to technical and organizational measures in place to prevent any damage being caused by the processing of personal data;
  • Non-discrimination. No data processing should occur for discriminatory purposes.
  • Accountability. As the data controller, you must comply with the law and must be able to prove it.

Legal basis for processing data under the LGPD

Under the LGPD data can only be processed if there’s at least one legal basis for doing so.

The legal bases are:

  • Consent from the user
  • The fulfillment of a legal or regulatory obligation which applies to the data controller
  • The execution of public policies (where those policies are supported via laws, regulations or contractual agreements)
  • The carrying out of studies by research bodies – where possible ensuring the anonymization of the personal data being used*
  • The fulfillment of a contractual agreement of which the user is a participant (or it’s precursory activities)
  • The regular exercising of rights in judicial, administrative or arbitral proceedings *
  • The protection of life or physical safety of the user or a third party
  • The protection of health – in a procedure performed by health professionals, health services or the health authority*
  • The legitimate interests of the data controller or third party, except where overridden by the interests, rights, and freedoms of the user
  • Credit protection, including the provisions of the relevant legislation*

*Not included as a legal basis under the GDPR.

Consent under the LGPD

Since consent is such a critical topic and often quite relevant when if comes to online processing, we’ll take a look at the specific requirements for consent under the LGPD below.

Under the LGPD, consent must be “free, informed and unambiguous”. This means that the consent must not be coerced, the consenting action required of the user should be clear and users must be adequately informed before granting consent. Consent must also be provided for a specific purpose and it must always be possible for users to revoke/ withdraw consent.

Under the LGPD, consent must be free, informed and unambigious.

In regards to consent for children under 12, you are required to get specific and prominent consent from a parent or guardian. Consent can be given by a 13 – 18* year old provided that the processing of their personal data is done in their best interest. You must make every reasonable effort (using available technology) to verify that the person giving consent actually holds parental responsibility for the child.

*Note: In Brazil, the recognized age for full contractual capacity is 18.

Publicly available data

Pre-LGPD legislation allowed companies to collect and process personal data made publicly available over the internet or any public source for any reason, however, under the LGPD this is no longer allowed.

Under the LGPD guidelines, public personal data may only be collected and used in two ways:

  • for the same purpose that the data was originally processed under – in which case the user’s consent in not required; or
  • for a different purpose, strictly where you, the data controller, can legitimately apply a valid legal basis for the processing (more below).

Note: Due to the above, “scraping” or otherwise collecting publicly-available data for marketing, etc. will likely be limited under the LGPD.

Sensitive data

When it comes to the processing of sensitive data, consent can be avoided only if the processing is absolutely necessary for:

  • complying with legal obligation which lies with the data controller;
  • shared processing needed for the public administration to execute legal or regulatory public policies;
  • conducting studies by a research body – ensuring, whenever possible, that the sensitive personal data is anonymized;
  • the protection of the life or physical safety of the user or a third party;
  • health protection, exclusively, in procedures performed by health professionals, health services or a health authority;
  • health supervision in a procedure performed by health professionals or health entities;
  • the regular exercising of rights – including contractual, judicial, administrative, as well as those granted via arbitral proceedings; or
  • fraud prevention and security of the user (e.g. for identification and authentication of registration in electronic systems) – as long as the rights of the users are protected and unless superseded by rights and freedom of the user.

Children’s data

Under the LGPD, exceptions to the consent requirement for processing the data of children apply if the processing is needed in order to contact the parents or legal guardians or to protect the child. The data can only be used once and must not be stored, must not be shared with third-parties without the proper consent

User’s rights under the LGPD

Under the LGPD, users (“data subjects”) have the right to:

  • Confirmation. Users have the right to confirm of the existence of processing.
  • Access. Users have the right to access their data being processed by the data controller.
  • Data portability. Users have a right to the portability of their data to another service or product provider, upon express request, in accordance with the regulations of the national authority and subject to commercial and industrial secrets.
  • Rectification. Users have the right to have their personal data rectified if it is inaccurate or incomplete.
  • Anonymization. Users are entitled to the anonymization, blocking or elimination of unnecessary or excessive personal data, or of any data that is not being processed in compliance with LGPD
  • Deletion. Users have the right to have their personal data deleted if the processing of that data was based on consent.
  • Information. Users have the right to be informed about sub-processors and other third parties that access or process their personal data. Users also have the right to be informed about their consent choices and the consequences of refusing consent.
  • Revocation. Users have the right to revoke or withdraw consent.
  • Bring complaint. Users have the right to lodge with the Data Protection Authority (DPA).
  • Object. Users have the right to oppose the processing of their personal data where there is non-compliance with the provisions of the law.
  • Request review. Users have the right to request the review of decisions made solely on the basis of automated processing of personal data which affect their interests. This includes decisions used to define their personal, professional, consumer and credit profile, or the aspects of their personality.

Controller and processor obligations under the LGPD

Cross-border data transfers

If you need to transfer LGPD protected data outside of Brazil, there are some guidelines to keep in mind. The LGPD allows the cross-border transfer of personal data if an adequate level of protection of the personal data is provided.

In practical terms, this means that the transfer is allowed if the receiving country is considered to have a legislation that provides for an adequate level of protection. The assessment of the adequacy level of the receiving country or international organization is made by the Data Protection Authority (DPA).

If the adequacy level is not met, it may still be possible to transfer the data abroad where one of the following conditions are met:

  • the data controller receives the informed, explicit, prior consent of the user – which must be separated from the other processing purposes and requests;
  • the data controller ensures compliance with LGPD via a dedicated contractual section, standard contractual clauses, or global corporate rules;
  • the data transfer meets standards set via valid certificates and codes of conduct regularly approved by the DPA;
  • the DPA directly authorises the transfer;
  • the transfer is needed for international legal cooperation between public intelligence, investigation and prosecution bodies (in accordance with international law);
  • the transfer is needed to protect the life or physical safety of the user or a third party;
  • the transfer is needed for enforcing public policy;
  • the transfer results in a commitment made in an international cooperation agreement;
  • the transfer is essential for meeting a legal obligation of the data controller or is necessary for the exercising of rights in Court or arbitration proceedings; or
  • the transfer is needed to fulfil an agreement with the user.

Data processing records

Under the LGPD, both data controllers and processors must maintain records of their personal data processing activities – especially when the processing is based on legitimate interest. All controllers and processors – regardless of size, frequency of processing or type of data processed – must meet this record-keeping obligation. However, exemptions may be granted by the Data Protection Authority.

All controllers and processors must meet this record-keeping obligation.

Data protection impact assessment (DPIA)

In essence, a data protection impact assessment (DPIA) is a process used to help the data controller comply with data privacy rules – ensuring that the main principles are effectively met.

Under the LGPD, the DPIA documentation generally contains the description of the activities of processing personal data that could generate risks to civil rights and liberties, as well as measures, safeguards and mechanisms to mitigate that risk.

The DPIA document must at least include:

  • a description of the categories of data processed;
  • the methods used to collect the data;
  • the security measures used; and
  • a description of the measures used to mitigate the risks involved in processing the personal data.

The law does not explicitly state when a DPIA is needed, but the Data Protection Authority can request that a DPIA be performed and provided by the data controller at any time.

Appointment of a data protection officer

Under the LGPD, you, the data controller, must appoint a Data Protection Officer (DPO). There are no exemptions to this rule. DPOs are individuals who are responsible for the following:

  • receiving complaints and communications from users, providing clarifications and adopting relevant measures;
  • advising the data controller’s employees and contractors in regards to the measures which must be taken to protect the personal data processed;
  • receiving communications from the DPA and adopting relevant measures; and
  • performing any other duties “as determined by the data controller or established in complementary rules”.

Data security and data breaches

Under the LGPD data controllers, processors or any other agent involved in the processing of the personal data must implement security, technical and administrative measures in order to protect personal data from unauthorised accesses and accidental or unlawful destruction, loss, alteration, communication or any kind of illegitimate processing.

Any security incident that could create risk or damage to users must be communicated within a reasonable timeframe to the DPA.

The communication must at least include:

  • a description of the nature of the personal data affected;
  • information on the affected users;
  • information about the technical and security measures used to protect the data – subject to commercial and industrial secrecy;
  • the risks related to the incident;
  • the reasons for any delay in reporting the incident to the DPA (in cases in which communication was not immediate); and
  • the measures that were or will be adopted to reverse or mitigate the effects of the damage.

Upon notification of the breach, the DPA may order the data controller to alert the media, or take other steps to mitigate the damaging effects of the incident.

Transparency

As it is with the GDPR, transparency is a core principle of the LGPD. Under the LGPD users have the right to facilitated access to information about the processing of their personal data – which must be made available in a clear, adequate, and notable manner.

These disclosures include:

  • the specific purpose of the processing;
  • the type of processing and the duration of the processing;
  • the identifying details of the data controller;
  • the controller’s contact information;
  • information about who the data is shared with and why;
  • the responsibilities of any processors or agents that will carry out the processing;
  • the user’s (data subject) rights, with explicit mention of the user rights provided in Art. 18 of the LGPD (mentioned above), how to exercise those rights, and whether any personal data will be processed to respond to a request to exercise those rights.

Accountability: privacy by design and default

The LGPD states that both data controllers and processors may put into place internal processes and policies that ensure compliance with the law. This includes a privacy governance program and measures that show its effectiveness.

The governance program should, as a minimum:

  • show the controller’s commitment to ensure compliance with rules and good practices
  • be applicable to the entire set of personal data under the control of the particular data processor – regardless of the means used to collect the data;
  • be adapted to the particular structure, scale, and volume of the operations, as well as to the sensitivity of the data being processed;
  • establishes adequate policies and safeguards based on a process of systematic evaluation of the impacts on and risks to privacy;
  • have the purpose of creating a relationship of trust with the user via transparency;
  • ensure that mechanisms for the user to participate are integrated into the program’s general governance structure and establish and apply internal and external mechanisms of supervision;
  • have plans and solutions in place for responding to incidents; and
  • is constantly updated based on information obtained from continuous monitoring and periodic evaluations.

The data controller must be able to demonstrate the effectiveness of their privacy governance program when needed – especially if requested to do so by the the national authority.

Consequences of non-compliance

The legal consequences for non-compliance can include fines up to 50 million Brazilian reais (currently roughly €8M or US$9M) or 2% of a company’s annual turnover in Brazil, per violation. But perhaps equally as concerning are the other potential corrective actions that may be taken against those who are found to be in violation.

The legal consequences for non-compliance can include fines up to BRL 50 million (€8M) or 2% of the annual turnover

Under the LGPD, the Brazilian Data Protection Authority has corrective powers which include issuing warnings and fines, publicizing of the violation, and blocking or deleting the processing activities or personal data to which the infraction refers – this means that if the infraction occurred in regards to email address collection, the offending data controller could risk losing the entire associated email list.

Additionally, like the GDPR, the LGPD allows users with a cause for action to seek civil damages (pecuniary or moral) for violation of the privacy law.

How to comply with the LGPD

LGPD compliance checklist

Identify (and document) your legal bases for processing personal data. Data controllers must define a legal basis for each processing activity and document the legal basis in their records of processing.

Maintain a record of data processing activity (required under Art. 37). While the LGPD does not include specific requirements for the form or content of these records, however, they will likely be similar to the register of processing required under art. 30 of the GDPR. iubenda makes creating & maintaining data processing records easy. Read more here.

Include required disclosures in your privacy policy. Required (Art. 9) to meet LGPD transparency requirements. Read about our Privacy Policy Generator’s one-click LGPD disclosure setting.

Collect and maintain valid proof of consent (required under Art. 8). As it is with the GDPR, under the LGPD the burden of proof to demonstrate valid consent lies with you, the data controller. iubenda makes creating & maintaining consent records incredibly easy. Read more here.

Appoint a data protection officer (DPO) – required under Art. 41. Under the LGPD, it’s mandatory that all data controllers appoint a DPO, who will then be tasked with the activities mentioned here. Currently, the law does not require the DPO to be physically located in Brazil, and also leaves the possibility open for controllers to appoint third-party individual consultants as their DPO.

Develop internal policies and procedures for honoring the rights of users and responding to related user requests. Data controllers must reasonably respond to data subjects’ requests to exercise their rights under the LGPD, including access, correction, anonymization, deletion and portability.

Implement a security protocol. Both controllers and processors must adopt security measures designed to safeguard protect personal data. The DPA may provide guidelines for minimum technical standards in the future. Other legal frameworks under Brazilian law provide additional guidance related to existing standards, such as Brazil’s Civil Rights Framework for the Internet also known as Marco Civil da Internet (which settles principles, guarantees, rights, and duties for the users of the web in Brazil).

Develop an incident response and remediation plan (in accordance with Art.50). Controllers and processors must implement an incident response plan that ensures the controller is able to comply with the mandatory incident reporting requirements (see below).

If a data breach poses significant risk or damage to users, you must notify the DPA and users (in accordance with Art.50).

Perform data protection impact assessments (DPIAs). DPIAs may be mandatory in situations characterized as risky or, at the request of the authority, where the processing of data is based on legitimate interest.

Implement privacy by design and default. Under the LGPD, it’s mandatory to put measures in place by default, which guarantee the protection of personal data. In practical terms, the default settings should be those which guarantee the highest protection level.

Comply with cross-border data transfer requirements. Ensure that you’re aware of any applicable limits on cross – border data transfers and comply with the relevant provisions. More details here.

How iubenda can help you to comply with LGPD requirements

In terms of compliance, one of the fundamental steps is ensuring that your documents inline with legal requirements. At iubenda, we take a comprehensive approach to data law compliance. We build solutions with the strictest regulations in mind, giving you full options to customize as needed. We help you with meeting your legal obligations, reduce your risk of litigation and protect your customers —building trust and credibility.

Here’s what you need to get started with full compliance:

Privacy Policy

All privacy policies generated with iubenda allow you to be compliant with the LGPD, as they contain the option to easily apply the legal standards defined by the LGPD to Brazilian users.

With our Privacy and Cookie Policy Generator you can create a beautiful, lawyer-crafted, precise privacy policy and seamlessly integrate it with your website or app. You can simply add any of several pre-created clauses at the click of a button or easily write your own custom clauses using the built-in form.

Our solution makes it easy for you to meet LGPD requirements, with one-click activation for:

  • Displaying LGPD related language, disclosures, and instructions as legally required; and
  • Automatically updating your embedded privacy policy with the LGPD text once activated within the generator – no need to re-integrate the code on your site!

The privacy policy also comes with the option to include a cookie policy (it’s necessary to include it if your website or app is using cookies and has EU users). The policies are customizable to your needs and remotely maintained by an international legal team.

 

For more information on privacy policies click here.

Internal Privacy Management

Meeting LGPD regulations can be a technical challenge to implement in practical terms. This is especially true for internal privacy management.

Our solution helps you to easily record and manage all your data processing activities so that you can easily comply with mandatory LGPD requirements and meet your legal obligations. It allows you to create records of processing activity: add processing activities from 1300+ pre-made options, divide them by area (sub-divisions within which data processing activities are the same), assign processors and other member roles, and to document legal bases and other LGPD-required records.

For a list of the full features of the Internal Privacy Management tool click here or read the guide here.

Managing consent and maintaining detailed records related to it

In order to comply with privacy laws such as the LGPD and GDPR, you must keep proof of consent in order to demonstrate that consent was collected in a legally compliant way.

Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.

To use, simply activate the Consent Solution within your dashboard and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.

For a list of the full features of the Consent Solution click here or read the guide here.

Make your site LGPD compliant in minutes

Start generating

Please note that from time to time, laws are amended and updated. It’s therefore important to ensure that your policies meet the latest requirements. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.

See also