Brazil’s new General Data Protection Law is sanctioned by the President

Posted on: 20/8/2018

Brazil’s new General Data Protection Law is sanctioned by the President

On August 14th, the Brazilian President Michel Temer sanctioned the Brazilian General Data Protection Law (“LGPD”), which will become effective as from February 2020.

Clearly reminiscent of the General Data Protection Regulation (GDPR), in force in the European Union since May 2018, the LGPD establishes a broad data protection regime in Brazil and imposes specific rules for the collection, use, processing and storage of personal data, both electronic and physical.

As per the new Law, personal data is “any information that may allow the exact and precise identification of a certain person”, which should be interpreted as any data such as name, address, e-mail, age, marital status, and financial situation, obtained from any type of support or means (paper, electronic, computer, sound, image or other). Sensitive data is also covered by the LGPD, encompassing information relating to social and ethnic origin, genetic, sexual orientation and political opinion. 

Amongst the several aspects encompassed by the LGPD, the main elements covered thereby include:

  • Legal basis for data processing: the processing of personal data may only be carried out where there is a legal basis for such processing, which may include, among other bases, cases in which the processing is (a) done with the consent of the data owner; (b) necessary for complying with a legal or regulatory obligation; (c) necessary for the fulfilment of an agreement; (d) necessary to meet the legitimate interest of the data controller or third parties; or (e) for the protection of credit, under the terms of the Brazilian Consumer Protection and Defense Code (CDC).
  • Cross-Border jurisdiction: application not only to the organizations headquartered in Brazil and to companies processing personal data in Brazil, but also to cross-border processing of personal data of Brazilian residents.
  • Consent requirements:  data owners must provide their consent in advance and for a specific purpose. Such consent shall be free, informed, unequivocal, and may be revoked at any time.
  • Obligation to keep the information securely: legal entities must treat the collected information securely, protecting such information from non-authorized access or from  accidental or illicit situations of destruction, loss, alteration, communication or any other inadequate or illicit treatment.
  • In case of information leaking: national authorities shall be notified within a certain time frame which has yet to be established. Depending on the circumstances, the public disclosure of the fact may be determined by national authorities.

It is to note that the Brazilian President vetoed several sections of the LGPD, such as the establishment of a regulatory board - the National Data Protection Authority (NDPA) -, and justified his veto by reference to a formal legal obstacle allowing the establishment of new regulatory bodies only through Executive Power initiative (and not by means of Parliament-approved law).

In what concerns the punishments established by the LGPD due to non-compliance with its requirements, it is to note the fines amounting to 2% of gross sales (of the company or a group of companies) or a maximum sum of R $ 50,000,000.00 (fifty million BRL) per infringement, approximately USD 12.9 million.

  • T. +55 21 3514 0400
  • F. +55 21 3514 0401 / 3852 3495
  • Headquarters: Av. das Américas, 4200, BL9, Suites 217-B to 220-B | Rio de Janeiro, RJ | Brazil | 22640-102.
    São Paulo Branch: 1098, St Leopoldo Couto de Magalhães Júnior / Conj. 44 - Itaim Bibi - São Paulo, SP - CEP 04542-001 Brazil.