Your World of Legal Intelligence
 Brasil | 1-800-335-6202

Brazilian Government Makes The LGPD Effective Imminently

Document Cited in Related
Vincent
Published date11 September 2020
Subject MatterPrivacy, Data Protection
Law FirmFoley & Lardner
AuthorMr Aaron Tantleff, Steven M. Millendorf and Pedro Romano Fragoso Pires

On August 14, 2018, the Brazilian government approved the Brazilian General Data Protection Law, known as the Lei Geral de Proteç'o de Dados Pessoais ("LGPD") Enforcement was set to begin on August 15, 2020 but then, due to COVID-19 was delayed until May 2021. Later, the delay was shortened to December 31, 2020, but eventually overturned by the Brazilian Senate, reverting to the original enforcement date resulting in the LGPD coming into effect very soon. Notwithstanding the immediacy of the LGPD, penalties and sanctions for non-compliance provided therein will not be enforced until August 1, 2021.

LGPD in a Nutshell

- Extraterritorial scope - applies to organizations in Brazil as well as organizations that process personal data for the purpose of offering or supplying goods and services to individuals in Brazil.
- Relatively broad definition of personal data, but with significant exclusions.
- Companies must appoint a DPO to be within the "channel of communication" between the financial controller, the data subjects, and regulators.
- Must have at least one of 10 lawful bases for processing.
- Parental consent required when processing personal data of a child under 12. Processing of personal data for children under 18 must be in their best interest.
- Detailed guidance for the use of consent as a lawful basis for processing.
- Data subjects have the right to request information about the data the company collects about them and what will happen if they do not grant consent to the controller in order to process their personal data.
- Data breach notification to regulators within a reasonable period of time.
- Exports of personal data from Brazil only permitted if level of protection can still be maintained, including through adequacy decisions, binding corporate rules, codes of conduct, or consent.
- Individuals have the right to be informed of the nature of the processing of their personal data. Individuals also have the right to access, correct, delete, anonymize, and to obtain a portable copy of their personal data.
- Significant fines for violations - up to 2% of revenue in Brazil capped at R$ 50MM per violation (roughly US$9.4MM as of September 10, 2020).

The LGPD, like the EU's General Data Protection Regulation ("GDPR") is extraterritorial in scope. The LGPD applies to any company, public or private, that processes personal data in Brazil, collects or processes the personal data of individuals in Brazil, or processes data for the purpose of offering or supplying goods or services in Brazil. This means that it applies to any company located within Brazil, as well as those outside of Brazil that process personal data of individuals residing in Brazil or otherwise marketing goods or services to people in Brazil Accordingly, any company located in or marketing goods or services to individuals in Brazil should be aware of the LGPD and consider whether any...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT