If you serve customers in Brazil or handle data about somebody in Brazil, you must follow a new law known as the LGPD. It follows similar principles to those of Europe's GDPR, including administrative fines for serious breaches.
Here's what you need to know and do to avoid potential financial penalties.
- 1. Background of the LGPD
- 2. Who the LGPD Applies to
- 2.1. Exemptions
- 3. Brazil's National Data Protection Authority
- 4. Rights for Citizens Under the LGPD
- 5. Legal Bases That Make Processing Lawful
- 6. Your Responsibilities When Handling Data
- 7.1. Specific Purpose of Processing
- 7.2. Type and Duration of Processing
- 7.3. Identification of the Controller
- 7.4. Your Contact Information
- 7.5. Details of How You Share Data
- 7.6. Responsibilities of the Agents That Carry Out the Processing
- 7.7. The Data Subject's Rights
- 8. Summary
Background of the LGPD
This law is formally known as Lei Geral de Proteção de Dados Pessoais and commonly abbreviated to the LGPD. It translates literally as "General Law on the Protection of Personal Data."
The LGPD was passed into law in August 2018. Originally scheduled to take effect from February 2020, it was delayed and instead took effect in August 2020.
At the time of writing, officials were not scheduled to begin enforcing the measures until 3 May 2021, with fines for non-compliance beginning on 1 August 2021. This means you need to make any necessary changes to your data handling and privacy procedures as soon as possible.
Who the LGPD Applies to
The LGPD restricts the processing of personal data. It defines personal data as "information regarding an identified or identifiable natural person."
A natural person is a human rather than a legal entity such as a business. The LGPD doesn't cover anonymous data.
The LGPD covers data processing in any of four situations:
- The processing is of data about somebody residing in Brazil (regardless of their nationality)
- The processing takes place in Brazil
- The data was collected in Brazil
- The processing is done to provide or offer goods or services in Brazil
In any of these situations, the law applies to you regardless of your physical or legal location.
The LGPD includes three main exemptions that can apply to processing that would normally fall under the scope of the law:
- The processing is done for personal, non-business reasons. Note that an individual still falls under the scope of the law when processing for commercial purposes, even if they aren't established as a company or other legal entity.
- The processing is for academic, journalistic or artistic purposes
- The data is processed for reasons such as criminal investigations, national security or defense activities
Brazil's National Data Protection Authority
Despite a standoff between the then-President of Brazil and the country's Parliament, which briefly saw references to an enforcement authority removed from the bill, Brazil has now created the Autoridade Nacional de Proteção de Dados (ANPD). This translates as "Brazilian National Data Protection Authority. The ANPD is officially an independent agency within Brazil's federal government structure.
As well as issuing regulations, researching data protection issues and promoting data privacy, the ANPD is responsible for imposing administrative sanctions (fines and other punishments) for LGPD violations.
The ANPD can order an organization to change its data handling practices. In more severe cases it can temporarily or permanently restrict data processing activities. The ultimate sanction is a fine, with the maximum penalty being the lower of either two percent of a business's annual revenue or 50 million Brazilian reals (US$9 million at the time of writing).
Rights for Citizens Under the LGPD
The LGPD is based around nine stated rights for data subjects (the person the data is about). Understanding these rights is key when anticipating how the law will be interpreted and applied.
The law says data subjects have the right to:
- Know you are processing their personal data
- Know which third parties or subprocessors you've shared the data with
- Know the consequences of refusing consent
- Access their data
- Transfer their data to other processors if requested
- Correct incomplete, outdated or false data
- Withdraw consent
- Tell you to delete data that you processed based on consent they've now withdrawn
- Tell you to delete data that is excessive, unnecessary or not being processed under the LGPD
Legal Bases That Make Processing Lawful
The LGPD works on a legal basis system. This means it's only lawful to process personal data when one of a specified list of allowable reasons apply. This reason is known as the "legal basis" on which you rely to make the processing lawful.
The most common legal bases that could apply to a business processing data about customers are:
- The data subject has consented. This must normally be in writing, can be withdrawn at any time, and must cover processing for a specific purpose. You can't simply get generic consent to cover all processing.
- The data processing is done to carry out your legitimate interests, such as your business activity. These interests must outweigh the data subject's general rights under the LGPD.
- To carry out a legal or contractual obligation.
Other legal bases cover situations such as processing by health professionals, government work, research, judicial activity, and protecting somebody's life or safety.
Your Responsibilities When Handling Data
As well as making sure your processing has a legal basis, you must do the following to comply with the LGPD:
- Get consent from a parent or legal representative before collecting processing data about a child. The LGPD says you can only use this data once and must then destroy it. You'll need to get fresh consent before collecting and using it again.
- Stop processing data once it's no longer needed to achieve the purpose for which you collected it
- Keep track of the data you hold about people and how you use it so that you can quickly and accurately respond if they exercise their right to see their data
Only transfer the data outside of Brazil if one of the following applies:
- The country to which you are transferring the data has data protection laws that offer at least the same level of protection as the LGPD
- You have a binding contract with the recipient of the data that guarantees they'll offer at least the same level of protection as the LGPD
- You have specific permission from the ANPD or the data subject has explicitly consented to the transfer, knowing that it is to another country
- Appoint a dedicated data protection officer who is responsible for handling complaints and data access requests, training staff on data protection issues, and communicating with the ANPD
- Follow any "rules of good practice and governance" published by the ANPD
Notify the affected data subjects and the ANPD of any data breach. This notice should cover:
- A description of the affected data
- An overview of which data subjects were involved
- The risks stemming from the breach
- What security measures you used to protect the data
- What steps you will now take
Firstly, it's the most efficient way to transmit the required information to data subjects both before and while you are processing their data. In particular, it will lend more weight when you rely on the legal basis that a data subject gave informed consent to processing. The LGPD specifically says the burden is on the data controller to prove the data subject gave consent lawfully.
Specific Purpose of Processing
You must tell the data subject why you will use the data. You cannot use it for another purpose without getting fresh consent. Remember that once you have achieved the purpose for which you collected the data, you should stop processing it.
Type and Duration of Processing
You must tell the data subject how you will use the data and how long you will need to do this. You should give clear detail, though this doesn't have to compromise your commercial secrecy.
The Independent gives both a principle and specific examples for how long it keeps and uses data:
Identification of the Controller
Remember to include the details of your dedicated data protection officer (DPO).
Your Contact Information
The text of the LGPD doesn't state exactly what details you must provide. Your data protection officer should monitor communications from the ANDP in case it issues more specific guidance on this point.
Details of How You Share Data
You need to tell data subjects who you share their data with and the purpose for which they'll use it.
Remember that the LGPD has specific rules on transferring data outside of Brazil. If you are relying on data subject consent to make such a transfer legal, you must get explicit consent for the transfer, having made clear the data will leave Brazil.
Responsibilities of the Agents That Carry Out the Processing
As well as stressing that you will only use the data for the stated purpose and only for as long as necessary, you should highlight the security measures you take to reduce the risk of, and mitigate, data breaches.
Fast Company covers its responsibilities as well as those it places on data subjects:
The Data Subject's Rights
You must specifically list the nine key rights stated in the LGPD and detailed earlier in this guide.
Let's recap what you need to know about the LGPD:
- The LGPD is a Brazilian law that took effect in August 2020. Enforcement is scheduled to start in May 2021, with the possibility of fines from August 2021.
- The law restricts the processing of personal data if the data subject resides in Brazil, the processing is in Brazil, the data is collected in Brazil or you are processing the data to offer or provide goods or services in Brazil.
- The nationality of the data subject or the data controller doesn't matter.
- Processing for personal (non-business), academic, journalistic or artistic purposes is exempt from the law, as is processing for some government activities.
- The law is administered by a new government agency, the ANPD. Breaking the law could mean a fine of up to two percent of your annual revenue, capped at 50 million Brazilian real.
- The LGPD gives data subjects nine key rights, including knowing what data you are processing, why, and who you share it with. They also have the right to correct data, withdraw consent for processing, and tell you to delete data that you no longer need or have the right to process.
- Under the LGPD, you can only process data using a specified legal basis. The three most applicable for businesses are consent from the data subject, carrying out your legitimate interests, or carrying out a legal obligation.
- You must have a dedicated data protection officer, keep records of your data use, and inform both the data subjects and the ANPD of any breach.
- You need consent from a parent or guardian to process data from a child. This consent can only cover a single processing and you'll need fresh consent to process the data again.
- You can't transfer data outside of Brazil unless you can either guarantee it will have the same level of protection as offered by the LGPD (either through national law or a contract with the recipient) or you have explicit consent from the data subject.
- Why, how and how long you will process the data
- Your identity and contact details, including your data protection officer
- How and why you share data
- How you secure data
- The data subject's nine rights