A guide to LGPD in Brazil

How to comply with Lei Geral de Proteção de Dados, Brazil’s data protection law

Brazil’s Lei Geral de Proteção de Dados (LGPD) is the country’s first comprehensive personal data protection law. It entered into force in September 2020 and and aligns closely with the EU’s sweeping data privacy act, the General Data Protection Regulation (GDPR).

Before LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation. The aim of the LGPD was to unify the 40 different Brazilian laws that regulated the processing of personal data.

LGPD sets forth Brazil’s conception of personal data and when its use is authorised. Comprising 65 articles, it deals with the rights of data subjects and has 10 legal bases for the processing of personal data, which is four more than GDPR.

LGPD’s focus is on promoting transparency and accountability in how personal data is managed by businesses. The law governs how businesses collect, process, store and use personal data. It applies to any business, no matter where they are located, that processes the personal data of anyone in Brazil. It makes no difference whether the data processing happens within Brazilian territory or not. The only relevant point is that the data subject is in Brazil.

Complying with LGPD is crucial for businesses handling the personal data of Brazilians. There are legal implications as well issues of consumer trust, data security, corporate responsibility, and preserving your business’ reputation. We recognise that understanding LGPD is vital for Brazilian companies as well as companies that want to facilitate cross border operations. We created this guide to ensure that companies have the information they need to do that.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.