LGPD – Companies have 18 months to adapt to the new Brazilian General Data Protection Law (Lei Geral de Proteção de Dados)
On August 15, 2018, Law No. 13,709, dated August 14, 2018, also known as the Brazilian “General Data Protection Law” (Lei Geral de Proteção de Dados) (“LGPD”), was published, starting the countdown of the 18-month term that well precede its entry into force, in February 2020. The individuals and public and private entities that perform data processing, either online or offline, shall have such period to adequate their operations to the obligations set forth by the new legislation.
Under the LGDP, the processing of personal data shall be made according to a legitimate purpose and a legal ground that supports it and which will probably require, in many cases, the obtainment of consent of the subject whose data will be processed.
Therefore, it is recommended, as first step, that the entities subject to the provisions of the LGDP review their business and internal procedures (e.g. types of existing databases, types of personal data collected and stored, use of personal data, among others), to identify those actions that involve some sort of processing of personal data and its features and, afterwards, to adopt the necessary solutions to comply with the requirements of the LGDP.
Some of the main aspects and definitions of the LGDP are :
(i) The legal definition of personal data: information related to an identified or identifiable natural person (ID, tax registry, name, address, telephone number, etc.).
(ii) The existence of certain types of personal data subject to specific rules, such as:
a. Sensitive personal data – racial or ethnic origin, religious belief, political opinion, health or sexual history, etc., whose treatment must comply with its own and more strict rules related to consent, purpose, etc.;
b. Personal data of children and teenagers – whose processing will be conditioned, among others, to the obtainment of specific and clear consent given by at least one parent or legal tutor;
c. Anonymized personal data – which will not be considered as personal data for the purposes of the LGDP, unless the anonymization process to which they have been submitted is reversed, using only your own resources, or when it can be reversed with reasonable efforts;
d. Data clearly made public by the subject – whose processing can be performed without the consent of the data subject.
(iii) The legal definition of data processing, which means a transaction performed with personal data (e.g. collection, reception, use, treatment, storage and disposal of personal data).
(iv) The different principles that shall be observed for the exercise of data processing activities, for example:
a. Purpose – performance of the date processing for legitimate, specific, explicit purposes, which have been informed to the data subject, without possibility of further processing in a way that is incompatible with such purposes;
b. Adequacy – compatibility of the data processing with the purposes informed to the data subject;
c. Necessity – limitation of the processing to the minimum necessary for the achievement of its purposes, with the inclusion of only relevant, proportional and non-excessive data.
(v) The requirements that authorize the processing of data, including the:
a. Obtaining consent of the data subject;
b. Compliance with legal or regulatory obligations;
c. Conduction of studies by research entities (guaranteed, whenever possible, the anonymization of the data);
d. Necessity of the data for the performance of contracts or preliminary procedures of which the subject is a party, at the request of the data subject;
e. Regular exercise of rights in judicial, administrative or arbitration proceedings; or
f. To fulfill the legitimate interests of the controller or third party (except in the case where the subject’s fundamental rights and freedoms prevail).
(vi) Requirements for the international transfer of personal data, including the:
a. The receipt country shall provide a level of protection of personal data appropriate to the LGDP;
b. Obtainment of specific and clear consent from the data subject regarding the performance of the international transfer;
c. Offer and demonstration by the controller of guarantees of compliance with the principles and the subject’s rights and the regime of data protection foreseen in the LGDP.
(vii) Agents involved in the processing of personal data, including:
a. Controller (controlador) – responsible for decisions regarding the processing of personal data, which will appoint a data protection officer (encarregado) who will act as a channel of communication between the controller, the data subjects and the national authority;
b. Data processor (operador) – responsible for processing personal data on behalf of the controller.
(viii) Failure to comply with the obligations set forth in the GDPL may result in the imposition of penalties, which will include:
a. Warning with the request of adoption of corrective measures;
b. Fine of up to two percent (2%) of the revenue in Brazil, limited to R$ 50,000,000.00 (fifty million Reais) per violation;
c. Blocking of the personal data to which the violation relates until its regularization; and
d. Elimination of the personal data to which the violation refers.
Lastly, due to the veto by Brazilian President Michel Temer of the provisions mentioning the creation of the Brazilian National Data Protection Agency (“ANPD“), there are doubts regarding the authority that shall be created to monitor the compliance and impose the sanctions foreseen in the LGDP, as well to that will be responsible for its effective enforceability.
Our team has been following this subject since the discussions of the bills of law in the Brazilian National Congress, as well as the publication of the General Data Protection Regulation (“GDPR“) in Europe, and is available to assist our clients in the challenge of adapting to the new regulation.
 Examples included for reference purposes and that do not correspond to an exhaustive listing of all relevant provisions of the LGPD.
For further information about the contents of this newsletter, please contact:
Francisca Sousa Guedes