Brazil - General Data Protection Law (LGPD)
- Lawfulness, Fairness and Nondiscrimination
- Transparency and Free Access
- Purpose Specification, Use Limitation and Suitability
- Data Minimisation, Storage Limitation and Accuracy
- Security and Prevention
- Accountability and Recordkeeping
- Data Protection Officer
- Privacy Impact Assessment
- Data Subject Rights
- Vendor Management
- Cross-Border Data Transfer and Data Localisation
- Incident and Breach
- The Executive Order No. 869 Amendments to LGPD
The Brazilian General Data Protection Law (‘lei geral e única de proteção de dados pessoais’ – “LGPD”) is the first omnibus comprehensive Brazilian privacy legislation. The LGPD adopts a number of principles coming from the EU privacy laws. The LGPD aims to provide a strong uniform level of protection to the personal data of Brazilian residents and to ensure safeguards to the processing and international transfers of the data.
The LGPD adopted text has been amended by the Executive Order no. 869 of December 27, 2018. As a result, new supervisory and enforcement institutions have been established and certain other sections of the law have been changed.
The guidance/articles in this section address the general topics regarding the LGPD jurisdiction, key responsibilities of the data controllers as well as the rights of the individuals.
- OneTrust: Brazil LGPD Toolkit
- OneTrust: What is the Brazil General Data Protection Law (LGPD)
- OneTrust: Privacy Rights under the Brazilian LGPD vs. the GDPR Guide
Lawfulness, Fairness and Nondiscrimination
The LGPD establishes a sum of 10 legal bases enabling the controllers to lawfully process individuals’ personal data. These cover the familiar bases of consent or fulfillment of a contract along with more specific bases like protection of credit. Controller relying on a specific legal basis must be able to prove their compliance with specific requirements for each processing purpose – for example, the individual’s consent is only lawful under the LGPD if it is unambiguous, specific and freely given.
In order to comply with the principle of non-discrimination, the organisations must never process personal data for illegal, abusive or discriminatory purposes. The LGPD includes specific requirements for processing of personal data of children and adolescents. Such requirements include specific, independent and highlighted consent of at least one of the parents/legal representative. Furthermore, the information on the data processing that is being provided in these instances must be simple, clear and accessible to inform the parents/legal representative and to be appropriate for the children’s understanding.
Furthermore, the LGPD specifically distinguishes a category of sensitive personal data for which the processing is only allowed (i) with the individual’s specific consent, or (ii) without their consent when it is indispensable for one of the 7 outlined legal bases. Sensitive personal data under the LGPD include personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.
Transparency and Free Access
Transparency under the LGPD is closely related to the requirements for the processing of individuals’ personal data. On a general level, it requires the controllers to adopt open and forthcoming approach towards the individuals – allowing for easy and free access to clear information about their personal data processing and implementing processes to facilitate the individuals’ exercising of rights.
Purpose Specification, Use Limitation and Suitability
LGPD requires that processing activities be done in good faith and for legitimate, specific and explicit purposes. At the same time, the individuals must be informed of such purposes. It is forbidden to process the personal data for a subsequent purpose that is different and incompatible with the original purposes with no possibility of subsequent processing that is incompatible with these purposes.
The LGPD’s suitability principle seeks to ensure compatibility of the processing with the purposes communicated to the individual in the context of their personal data processing.
Data Minimisation, Storage Limitation and Accuracy
Data minimisation principle under the LGPD requires the organisations to limit the amount and scope of personal data they process to the minimum necessary to achieve their purposes. Only data that are relevant, proportional and non-excessive in relation to the purposes of the data processing should be used.
Furthermore, the organisations should generally delete the personal data following the termination of their processing in order to limit their storage.
The accuracy principle under the LGPD requires the organisations to ensure clarity, relevancy and timely updates of the personal data to achieve compatibility of the processing with the purposes communicated to the data subject.
Security and Prevention
Under the LGPD, organisations must implement security technical and administrative measures that enable them to protect personal data from unauthorized access and accidental or illegal destruction, loss, alteration or deletion.
Furthermore, the security measures must be adhered to by all organisations involved in the data processing throughout the data’s lifecycle.
The prevention principle of the LGPD requires organisations to adopt measures for preventing incidents and damages due to the processing of personal data.
Accountability and Recordkeeping
Under the LGPD’s principle of accountability, it is the responsibility of organisations processing personal data to demonstrate that they have adopted efficient measures ensuring compliance with the LGPD’s personal data protection requirements, including the efficacy of such measures.
As an element of the accountability principle, both the controller and processor must maintain records of personal data processing operations that they carry out.
Data Protection Officer
The LGPD introduces a duty for data controllers to appoint an officer to be in charge of processing personal data. The officer can either be a natural person, or even a third-party organisation. The officer’s contact information should be publicly available and their tasks should include communication with the data subjects and regulatory authority, adopting privacy-related measures within the organisation and educating the employees as well as vendors on data protection practices.
Privacy Impact Assessment
In relation to certain data processing operations (for example when processing is based on a legitimate interest), the data controller may be required to prepare an impact report on the protection of personal data, including sensitive data. The impact records serve as an assessment of the controller’s processing operations and how they mitigate any risks related to the specific processing operations.
Data Subject Rights
The LGPD recognizes a set of rights of the individuals related to the processing of their personal data that the controllers are obliged to honour.
These rights include:
- the right to information (confirming the existence and extent of the data processing);
- the right of access to data;
- the right of data rectification related to incomplete, inaccurate or outdated data;
- the right of anonymisation, blocking or elimination of excessive or unlawfully processed data;
- the right of data portability from one controller to another;
- the right of elimination of data processed with the data subject’s consent;
- the right to be informed which recipients did the controller share the data with;
- the right to be informed of the possibility of refusing a consent and the related consequences; and
- the right to request a review of decisions taken solely on the basis of automated personal data processing that affect the data subject in certain ways.
The LGPD requires for the controller to verify that the processor adheres to the controller’s data processing instructions and that the processor also follows the legal rules governing the specific processing operations.
Cross-Border Data Transfer and Data Localisation
The LGPD permits transfer of personal information outside Brazil only if the conditions are met for one of nine legal bases for the cross-border data transfer. These conditions can be met for example based on the adequacy decision establishing “adequate” level of protection to personal data in a specific country. Furthermore, the transfer can be based on various forms of controller’s compliance guarantees (standard contractual clauses etc.). There are also several legal bases for transfer addressing the necessity for various legal and public interest reasons. The transfer can also be carried out based on the individual’s specific and distinct consent.
Incident and Breach
The controllers are required under the LGPD to immediately communicate to the national authority and to the affected data subjects any occurrence of a security incident that may create risk or relevant damage to the data subjects. Any such communication should (among other elements) include the description of risks related to the incident and the measures that were or will be adopted to reverse or mitigate the effects of the damage.
The Executive Order No. 869 Amendments to LGPD
The Executive Order No. 869 has introduced the following amendments into the LGPD (a mark-up of the updated LGPD in Portuguese):
The National Data Protection Authority (‘ANPD’)
The Executive Order has established the National Data Protection Authority as an indepent federal regulatory agency. Similarly to the EU Member State Data Protection Authorities, the ANPD is to provide complementary norms and regulatory oversight.
The ANPD powers and responsibilities are the following:
- ensuring the protection of personal data and editing norms and procedures on the topic,
- interpreting the LGPD,
- managing complaints on violations of the LGPD and requesting information at any time from the controllers and processors regarding the personal data processing operations,
- imposing sanctions for violations of the LGPD,
- communicating any discovered criminal offenses to the competent authorities, communicating to the internal control organs the noncompliance with the LGPD by federal public administration bodies,
- broadening public knowledge about the privacy norms and data protection,
- stimulate the adoption of personal data processing standards for services and products that facilitate control and protection of the individuals,
- prepare studies on national and international practices for data protection and promote cooperation with other data protection authorities,
- hold public consultations on relevant topics in the ANPD sphere of activities,
- draft a list of public administration bodies responsible for regulating specific sectors and liaise with these,
- prepare annual reports on its activities.
Although the ANPD does not have the authority to carry out audits with the organizations, its power to request information and impose sanctions should ensure its efficient enforcement authority.
The National Council for the Protection of Personal Data and Privacy
The Executive Order re-introduced into the LGPD the National Council for the Protection of Personal Data and Privacy – the Brazilian equivalent of the EU Data Protection Board, formerly the Art. 29 Working Party. Formally a part of the ANPD, the National Council should be comprised of representatives of the executive branch, legislators, civil society entities, innovation institutions and even business sector representatives, thus aiming to capture wide-reaching consensus for its guidelines.
The National Council’s tasks are as follows:
- proposing strategic guidelines,
- preparing annual evaluation reports,
- suggesting actions to be carried out by the ANPD,
- preparing studies and holding public debates and hearings on the personal data protection topics,
- spreading public knowledge about protection of personal data and privacy.
New ‘Vacatio Legis’ Period
Thanks to the Executive Order, the LGPD vacatio legis period before the LGPD becomes effective has been stretched from 18 to full 24 months – until August 14, 2020. During this period, the ANPD should consult and guide the organizations on their way towards full privacy compliance.
A set of other LGPD sections have been amended as well.
Data Protection Officers
The Executive Order has amended the LGPD text to open up possibilities for the Data Protection Officer role to be held not only by a natural person, but alternatively also by an organization or other third-party entity.
Sensitive Medical Personal Data
The new updated wording of the LGPD opens up the possibilities for controllers’ sharing or communicating sensitive medical personal data of the individuals. This should be allowed (i) if the individuals consents, or (ii) if this is necessary for adequately providing supplementary health services.
Right to Review Solely Automated Decisions
The Executive Order has maintained the individuals’ right to request review of decisions about them which are based solely on automated processing of their personal data. Similar right is vested in the GDPR Art. 22. However, as opposed to the GDPR, the individuals in Brazil do not have a right to request human review of such decisions.
Sharing Public Registry Data with Private Entities
With the updated LGPD wording, there is a wider range of situations where the public authorities are allowed to share the personal data of individuals with private entities. These include e.g. cases when such transfer is intended to prevent fraud or to protect the security of the individuals (data subjects).
In Brazil, it is currently not mandatory to notify personal data breaches, yet it is recommended. Furthermore, the Art. 10 of Consumer Protection Code (in Portuguese) may require notifications to affected data subjects and competent authorities when a data breach may cause damage to the data subjects. In addition, it is recommended to inform sectoral agencies when an industrial actor overseen by such agencies suffered a data breach. When the LGPD becomes effective on August 14, 2020, the data controllers will be required to inform both the national data protection authority and the affected individuals about personal data breaches that may create risk or relevant damage to the individuals. Such notification shall be done in a reasonable time period which will be defined by the national data protection authority.
Is it Mandatory to Notify Individuals?
Yes, for consumer relationship. Otherwise not, only recommended.
Is it Mandatory to Notify Regulator?
Yes, for consumer relationship. Otherwise not, only recommended.
The National Data Protection Authority (‘ANPD’)
Breach Notification Format
In cases of faulty services or products which produce harm to the individuals, the notification should be made immediately. For general personal data breaches, there are currently no requirements as to the format of the notification. There may, however, be specific requirements for informing about sectoral breaches according to banking laws, TELCO regulations etc.
Brazil - General Data Protection Law (LGPD)
Law No. 13,709, of August 14, 2018
The first omnibus comprehensive Brazilian privacy legislation. The LGPD adopts a number of principles coming from the EU privacy laws and will enter into force on August 14, 2020.
Last Updated: May 8, 2019
DataGuidance by OneTrust provides a suite of privacy solutions designed to help you monitor regulatory developments, mitigate risk and achieve global compliance.
OneTrust is the largest and most widely used technology platform to operationalize privacy, security and third-party risk management. More than 2,500 customers, both big and small and across 100 countries, use OneTrust to implement their privacy, security and third-party risk programs, automatically generating the specific record keeping needed to demonstrate compliance with privacy regulations including the EU GDPR, California Consumer Privacy Act (CCPA), Brazil LGPD, and hundreds of the world's privacy laws.