If you serve customers in Brazil or handle data about somebody in Brazil, you must follow a new law known as the LGPD. It follows similar principles to those of Europe's GDPR, including administrative fines for serious breaches.

Here's what you need to know and do to avoid potential financial penalties.


Background of the LGPD

This law is formally known as Lei Geral de Proteção de Dados Pessoais and commonly abbreviated to the LGPD. It translates literally as "General Law on the Protection of Personal Data."

The LGPD was passed into law in August 2018. Originally scheduled to take effect from February 2020, it was delayed and instead took effect in August 2020.

At the time of writing, officials were not scheduled to begin enforcing the measures until 3 May 2021, with fines for non-compliance beginning on 1 August 2021. This means you need to make any necessary changes to your data handling and privacy procedures as soon as possible.

Who the LGPD Applies to

The LGPD restricts the processing of personal data. It defines personal data as "information regarding an identified or identifiable natural person."

A natural person is a human rather than a legal entity such as a business. The LGPD doesn't cover anonymous data.

The LGPD covers data processing in any of four situations:

  • The processing is of data about somebody residing in Brazil (regardless of their nationality)
  • The processing takes place in Brazil
  • The data was collected in Brazil
  • The processing is done to provide or offer goods or services in Brazil

In any of these situations, the law applies to you regardless of your physical or legal location.

Exemptions

The LGPD includes three main exemptions that can apply to processing that would normally fall under the scope of the law:

  • The processing is done for personal, non-business reasons. Note that an individual still falls under the scope of the law when processing for commercial purposes, even if they aren't established as a company or other legal entity.
  • The processing is for academic, journalistic or artistic purposes
  • The data is processed for reasons such as criminal investigations, national security or defense activities

Brazil's National Data Protection Authority

Despite a standoff between the then-President of Brazil and the country's Parliament, which briefly saw references to an enforcement authority removed from the bill, Brazil has now created the Autoridade Nacional de Proteção de Dados (ANPD). This translates as "Brazilian National Data Protection Authority. The ANPD is officially an independent agency within Brazil's federal government structure.

As well as issuing regulations, researching data protection issues and promoting data privacy, the ANPD is responsible for imposing administrative sanctions (fines and other punishments) for LGPD violations.

The ANPD can order an organization to change its data handling practices. In more severe cases it can temporarily or permanently restrict data processing activities. The ultimate sanction is a fine, with the maximum penalty being the lower of either two percent of a business's annual revenue or 50 million Brazilian reals (US$9 million at the time of writing).

Rights for Citizens Under the LGPD

Rights for Citizens Under the LGPD

The LGPD is based around nine stated rights for data subjects (the person the data is about). Understanding these rights is key when anticipating how the law will be interpreted and applied.

The law says data subjects have the right to:

  • Know you are processing their personal data
  • Know which third parties or subprocessors you've shared the data with
  • Know the consequences of refusing consent
  • Access their data
  • Transfer their data to other processors if requested
  • Correct incomplete, outdated or false data
  • Withdraw consent
  • Tell you to delete data that you processed based on consent they've now withdrawn
  • Tell you to delete data that is excessive, unnecessary or not being processed under the LGPD

The LGPD works on a legal basis system. This means it's only lawful to process personal data when one of a specified list of allowable reasons apply. This reason is known as the "legal basis" on which you rely to make the processing lawful.

The most common legal bases that could apply to a business processing data about customers are:

  • The data subject has consented. This must normally be in writing, can be withdrawn at any time, and must cover processing for a specific purpose. You can't simply get generic consent to cover all processing.
  • The data processing is done to carry out your legitimate interests, such as your business activity. These interests must outweigh the data subject's general rights under the LGPD.
  • To carry out a legal or contractual obligation.

Other legal bases cover situations such as processing by health professionals, government work, research, judicial activity, and protecting somebody's life or safety.

Your Responsibilities When Handling Data

Your Responsibilities When Handling Data

As well as making sure your processing has a legal basis, you must do the following to comply with the LGPD:

  • Get consent from a parent or legal representative before collecting processing data about a child. The LGPD says you can only use this data once and must then destroy it. You'll need to get fresh consent before collecting and using it again.
  • Stop processing data once it's no longer needed to achieve the purpose for which you collected it
  • Keep track of the data you hold about people and how you use it so that you can quickly and accurately respond if they exercise their right to see their data
  • Only transfer the data outside of Brazil if one of the following applies:

    • The country to which you are transferring the data has data protection laws that offer at least the same level of protection as the LGPD
    • You have a binding contract with the recipient of the data that guarantees they'll offer at least the same level of protection as the LGPD
    • You have specific permission from the ANPD or the data subject has explicitly consented to the transfer, knowing that it is to another country
  • Appoint a dedicated data protection officer who is responsible for handling complaints and data access requests, training staff on data protection issues, and communicating with the ANPD
  • Follow any "rules of good practice and governance" published by the ANPD
  • Notify the affected data subjects and the ANPD of any data breach. This notice should cover:

    • A description of the affected data
    • An overview of which data subjects were involved
    • The risks stemming from the breach
    • What security measures you used to protect the data
    • What steps you will now take

How to Make an LGPD-Compliant Privacy Policy

How to Make an LGPD-Compliant Privacy Policy

The text of the LGPD does not specifically require a Privacy Policy. However, if you come under the LGPD's scope, it is worth having one.

Firstly, it's the most efficient way to transmit the required information to data subjects both before and while you are processing their data. In particular, it will lend more weight when you rely on the legal basis that a data subject gave informed consent to processing. The LGPD specifically says the burden is on the data controller to prove the data subject gave consent lawfully.

Secondly, the LGPD shares key notification requirements with data protection laws in other countries so a single Privacy Policy could satisfy multiple laws in an efficient manner.

When writing a Privacy Policy, bear in mind that the LGPD says you must present any information to the data subject in a "transparent, clear and unambiguous way."

The LGPD lays out seven key points you must cover in communications such as a Privacy Policy. As the examples show, many existing policies will already cover these points.

Specific Purpose of Processing

You must tell the data subject why you will use the data. You cannot use it for another purpose without getting fresh consent. Remember that once you have achieved the purpose for which you collected the data, you should stop processing it.

This example from Wiltshire Council works well as an overview in a Privacy Policy. To be certain of complying with the LGPD you'd also need to list the specific purpose at the point when you collect specific information:

Wiltshire Council Privacy Notice: Purposes of Processing clause

Type and Duration of Processing

You must tell the data subject how you will use the data and how long you will need to do this. You should give clear detail, though this doesn't have to compromise your commercial secrecy.

The Independent gives both a principle and specific examples for how long it keeps and uses data:

The Independent Privacy Policy: How long do we keep your personal information for clause

Identification of the Controller

Remember to include the details of your dedicated data protection officer (DPO).

VFS Global includes mention of its DPO in a number of places in its Privacy Policy, including the Contact clause:

VFS Global Privacy Policy: Contact clause

Your Contact Information

The text of the LGPD doesn't state exactly what details you must provide. Your data protection officer should monitor communications from the ANDP in case it issues more specific guidance on this point.

The Ocean Race uses the contact information to concisely cover a common legal point of defining the term "We" in its Privacy Policy:

Ocean Race Privacy Policy: Contact details clause

Details of How You Share Data

You need to tell data subjects who you share their data with and the purpose for which they'll use it.

Remember that the LGPD has specific rules on transferring data outside of Brazil. If you are relying on data subject consent to make such a transfer legal, you must get explicit consent for the transfer, having made clear the data will leave Brazil.

Mailchimp's Privacy Policy details how third parties use its customer data:

Mailchimp Privacy Policy: How We Share Information clause excerpt

Responsibilities of the Agents That Carry Out the Processing

As well as stressing that you will only use the data for the stated purpose and only for as long as necessary, you should highlight the security measures you take to reduce the risk of, and mitigate, data breaches.

Fast Company covers its responsibilities as well as those it places on data subjects:

Fast Company Privacy Policy: How we protect and retain information clause excerpt

The Data Subject's Rights

You must specifically list the nine key rights stated in the LGPD and detailed earlier in this guide.

Summary

Let's recap what you need to know about the LGPD:

  • The LGPD is a Brazilian law that took effect in August 2020. Enforcement is scheduled to start in May 2021, with the possibility of fines from August 2021.
  • The law restricts the processing of personal data if the data subject resides in Brazil, the processing is in Brazil, the data is collected in Brazil or you are processing the data to offer or provide goods or services in Brazil.
  • The nationality of the data subject or the data controller doesn't matter.
  • Processing for personal (non-business), academic, journalistic or artistic purposes is exempt from the law, as is processing for some government activities.
  • The law is administered by a new government agency, the ANPD. Breaking the law could mean a fine of up to two percent of your annual revenue, capped at 50 million Brazilian real.
  • The LGPD gives data subjects nine key rights, including knowing what data you are processing, why, and who you share it with. They also have the right to correct data, withdraw consent for processing, and tell you to delete data that you no longer need or have the right to process.
  • Under the LGPD, you can only process data using a specified legal basis. The three most applicable for businesses are consent from the data subject, carrying out your legitimate interests, or carrying out a legal obligation.
  • You must have a dedicated data protection officer, keep records of your data use, and inform both the data subjects and the ANPD of any breach.
  • You need consent from a parent or guardian to process data from a child. This consent can only cover a single processing and you'll need fresh consent to process the data again.
  • You can't transfer data outside of Brazil unless you can either guarantee it will have the same level of protection as offered by the LGPD (either through national law or a contract with the recipient) or you have explicit consent from the data subject.
  • You must provide the following information to the data subject, most commonly through a Privacy Policy:

    • Why, how and how long you will process the data
    • Your identity and contact details, including your data protection officer
    • How and why you share data
    • How you secure data
    • The data subject's nine rights