In September 2020, Brazil finally implemented its General Data Protection Law or Lei Geral de Proteção de Dados (LGPD). While Brazil already has 40 sectoral privacy laws at the federal level, this is the first law to provide the legal bases that authorize the use of personal data in the country.
The Brazil LGPD comprises 65 articles which lay down the enforcements that companies incorporated or trading within the country that use information of Brazilian nationals must comply with. Organisations that fail to follow the terms laid down in the law would be liable for a fine equal to 2% of their sales revenue, or even up to $50 million Brazilian Real (about USD 12 Million).
Understanding the Scope and Jurisdiction of Brazil Data Privacy Law
LGPD is applicable to organizations of all sizes operative or incorporated in Brazil. The few exceptions listed in the law in terms of scope include cases where data is collected exclusively for journalistic, artistic and academic purposes, or public safety and national defense. As for the jurisdiction, the law provides for extraterritorial jurisdiction. According to Article 3 under Brazil LGPD, any data collected or processed within the country or for the purpose of offering goods/services in the country are subject to the law. Since the law is applicable if any one of these conditions is met, the location of the organisation becomes irrelevant when we talk about the jurisdiction of this privacy law.
Explained: The Provision of Data Processing Under Brazil LGPD
Data processing under Brazil PGPD works in a similar fashion as it does in EU GDPR. Data processing is defined as the use of data, such as the collection, classification, processing, storage, sharing, transfer, elimination of personal data. According to the law, data processing entails three major roles – the operator, the controller, and the officer. Here’s a better explanation of the roles as defined under the law –
The Controller – He/She is responsible for determining the relevant data processing policies and creating associated guidelines.
The Operator – He/she ensures that the guidelines initiated by the controller are executed.
The Officer – His/Her role is to fill the gap between the controller, the data owner or subject, and the government agency or authority.
Under Article 7, the LGPD lists 10 lawful bases for data processing. They are:
- To comply with a legal or regulatory obligation of the controller;
- With the consent of the data subject;
- To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
- To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
- To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
- To exercise rights in judicial, administrative or arbitration procedures;
- To protect health, in a procedure carried out by health professionals or by health entities;
- To protect the life or physical safety of the data subject or a third party;
- To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
- To protect credit (referring to a credit score).
Other Key Enforcements Under the Brazil LGPD – A Breakdown
Just like the processing of personal data, GDPR and Brazil LGPD agree on some other basics of data privacy. However, this doesn’t mean that the two laws have nothing apart. Let’s look at some of the key enforcements under the Brazil Privacy Law to understand it better.
Definition of Personal Data – Just like in GDPR, the definition of personal data is not singular. The Brazil data privacy law clearly states that personal data could mean any data – as an individual entity or combined with other data – that identifies a natural person or subjects them to a specific treatment.
Data Subject Rights – While GDPR has 8 fundamental rights defined for the data subjects, Brazil LGPD has 9 of them. However, almost all of these 9 rights touch upon the same principles as the subject rights defined in GDPR. Here are the subject rights of the Brazil LGPD –
- The right to confirmation of the existence of the processing;
- The right to access the data;
- The right to correct incomplete, inaccurate or out-of-date data;
- The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
- The right to the portability of data to another service or product provider, by means of an express request
- The right to delete personal data processed with the consent of the data subject;
- The right to information about public and private entities with which the controller has shared data;
- The right to information about the possibility of denying consent and the consequences of such denial; and
- The right to revoke consent.
Data Protection Officer
This enforcement sets the Brazil LGPD apart from all other international data privacy laws. As stated under Executive Order no. 869/18, the required DPO to be appointed by each organization need not be a natural person. It could also be a committee, company or internal group. Alternatively, an organization may even outsource the position to a third party, such as a specialized data privacy as a service company or law firm.
How Secuvy Can Help You?
Secuvy’s AI-powered Privacy Platform solutions offer easy guidance to help you comply with the LGPD. Our privacy engineering and governance solutions evaluate your privacy data posture and recommend associated risks attached to sensitive data along with notification of remediation steps.
Secuvy provides detailed classification, analysis and reporting to associated risks across the data lifecycle including any gaps found and compliance with LGPD. Fast-track and automate your LGPD program using Secuvy’s privacy solutions. Please email us at [email protected] for free evaluation.