Compliance with Brazil LGPD guidelines is critical for businesses that process data within its territory, though it actually extends beyond just businesses in Brazil. Learn what Brazil LGPD requirements are and how to be compliant with LGPD below.
What Is Brazil’s LGPD?
You may have heard of GDPR, the EU’s data protection and privacy law that set strict guidelines in 2016 for how the personal data and sensitive information of EU citizens can be collected and used. Created with similar intentions, LGPD (Lei Geral de Proteção de Dados Pessoais) is the Brazilian data protection law that began official enforcement on September 18th of 2020.
In essence, Brazil’s LGPD law applies to any company that does business in Brazil or collects data about Brazilian citizens. Prior to 2020, Brazil already had a solid foundation with legal norms at the federal level, but the landscape of these norms was spread over 40 different sector-based standards. The LGPD replaces those with one main legal framework. At a high level, the law states that businesses or organizations can only process personal data for legitimate, specific, explicit, and clearly communicated purposes. As with GDPR, the collection and usage of data should be restricted to only what’s necessary and there are rules around transparency.
The requirements provide protection for users and their right to data privacy when it comes to their personal and sensitive information and penalize companies that do not properly safeguard and utilize the user data they collect. Under the LGPD, personal data is defined as any data that can be linked to an identified or identifiable individual, such as names, health data, genetic and biometric data, IP addresses, email addresses, political and religious affiliations, sexual orientation, among other identifiable information.
The LGPD applies to the use of data both online and offline in the public and private sectors, and it has a territorial scope that extends beyond Brazil. This law likely applies to you if:
- You carry out data processing activities in Brazil
- You sell or supply goods or services to anyone in Brazil
- You collect and/or process data that refers to individuals located in Brazil at the time of data processing activities, even if their location has since changed
If your activities align with any of these conditions, LGPD compliance is necessary to avoid penalties. Penalties for noncompliance can include fines up to $12.2 million USD and total prohibition of processing in certain cases.
Brazil’s LGPD Requirements
Though Brazil’s LGPD law is similar to and aligns with GDPR, it does differ in several ways.
The LGPD regulates that personal data can only be processed if there’s at least one legal basis for doing so. This could include:
- User consent
- Fulfillment of a legal or regulatory obligation that applies to the data controller
- Execution of public policies
- Undergoing studies by research bodies
- Fulfillment of a contractual agreement involving the user
- Exercising of rights in judicial, administrative or arbitral proceedings
- Protection of life or physical safety of the user or a third party
- Protection of health
- Legitimate interests of the data controller or third party, except where overridden by the interests, rights, and freedoms of the user
- Credit protection, including the provisions of the relevant legislation
There are also principles for processing data, which include:
- Data must only be processed for the purposes outlined in the reason for collecting it
- The data controller must ensure the accuracy and protection of the data
- No data processing may occur for nondiscrimination purposes
- Data controllers must comply with the law and be able to prove so
- Users must be able to freely exercise their rights under the
- LGPD and have easy access to information about the processing of their data
- The data controller must be transparent about the processing of data, and users should be able to access information on processing and about any third parties their data is shared with
User Rights and Consent
LGPD requires that user consent must be “free, informed, and unambiguous.” Users must be able to clearly understand what they are consenting to and be given the opportunity to choose their participation. Consent cannot be coerced and must be provided for a specific purpose. It must also always be possible for consent to be revoked.
Regarding children 12 and under, parental or guardian consent is required, and data controllers must make every effort to verify that the person giving consent truly does hold parental responsibility for the minor. Consent can be given by 13 to 18-year-olds if the data processing is done in their best interest.
When it comes to user rights, users are owed the right to:
- Confirm the processing of their data
- Access their data
- The portability of their data to another service or provider upon request
- Rectification of their data if its is inaccurate or incomplete
- Anonymization or elimination of unnecessary or excessive personal data
- Deletion of data
- Revoke or withdraw consent
- File a complaint
- Object to the processing of data when the LGPD is not complied with
- Request the review of decisions made on the basis of automated processing of personal data which affects their interests
- Be informed about sub-processors and other third parties that access or process their data
Under LGPD, companies must keep records concerning all of their personal data collection and processing. All data controllers and processors, regardless of size, frequency of processing, or type of data processed, must meet this obligation. Exemptions may be granted by the Data Protection Authority.
Data Protection Officers
Similarly to GDPR, companies must appoint a data protection officer to oversee the security of data security and compliance in all data collection and processing. There is no exemption to this rule. These officers are responsible for:
- Receiving and responding to complaints and other communications from users
- Receiving and respond to communications from the DPA
- Advising the data controller and involved parties of the measures which must be taken to protect the data processed
- Performing other duties as determined by the data controller or established in complementary rules
The LGPD requires companies to maintain strict data security to protect the sensitive user data they collect. Any security incident that could create risk or damage to users must be communicated within a reasonable timeframe to the DPA, and the data controller must abide by the measures the DPA advises they take. There must also be transparency with users when security is breached in regard to their data.
Brazil’s LGPD vs Europe’s GDPR
How do Brazil’s LGPD law and Europe’s GDPR law compare? At their core, they’re very similar. Many of the differences between the two come down to translation differences and implicit versus explicit requirements. Both policies leave some rules implied that the other spells out more clearly. It is important to review the requirements for compliance for both laws if your business’s operations fall within Brazil’s or the EU’s jurisdiction.
Both laws have extraterritorial application, are enforced by regulators, and apply to people, businesses, public bodies, and charities in every sector and of every size.
However, there are some differences, such as:
- How personal data is defined
- Who is deemed a data controller or processor
- Data-processing principles (the GDPR has 7, whereas the
- LGPD has 10)
- Lawful bases for data processing
- Data subject rights
- Data security rules
- Violation penalties
Compliance With Brazil’s LGPD
The consequences for noncompliance with the LGPD Brazil guidelines can include fines of 2% of a company’s annual turnover, up to 50 million Brazilian reais per violation (currently approximately €8M or $9M), and other corrective actions, such as publicizing the violation, data deletion, and database suspension. The LGPD also allows users with a cause for action to seek civil damages for violation of the privacy law.
How to Comply With LGPD
Key factors to consider when it comes to complying with Brazil LGPD law requirements include:
- Ensuring data processing practices only collect essential and approved user data
- Identifying and documenting your legal bases for processing this data
- Having necessary record-keeping practices in place for all data-processing activities
- Verifying that user consent is properly collected
- Appointing a data protection officer
- Examining data storage security to ensure user data protection
- Having plans for emergencies to ensure transparency and compliance
- Understanding applicable limits on cross-border data transfers
If your business or organization is involved in processing the personal data of people in Brazil or related territories, appointing a person or team to understand and ensure compliance with the Brazil LGPD law is critical. The right software can help, too. Okera helps data controllers continue to innovate and conduct business while preventing inappropriate access to confidential, personally identifiable, and regulated data. That means an easier route to compliance with laws like the LGPD and GDPR.