Brazil • LGPD

General Data Protection Law

Lei Geral de Proteção de Dados

The General Data Protection Law (LGPD) is a federal law in Brazil designed to unify 40 existing laws to regulate processing of the personal data of individuals.

It was passed on September 18 2020 and was backdated, coming into effect on August 16 2020. Penalties became enforceable on August 1 2021.

Who Does it Affect

The LGPD applies to any data processing that takes place in Brazil for the purpose of offering goods and services of processing data or persons located in Brazil. The means of processing are not relevant.

Data processing carried out by any natural person or public or private legal entity (usually a business or organisation) is subject to the LGPD. The organization performing the data processing does not have to have a physical presence in Brazil or be based there. It only matters if the data subjects are located there and the processing takes place there. This component of extraterritoriality is common to international privacy laws.


Exemptions

The LGPD does not apply where the processing of personal data:

  • Is carried out by a natural person exclusively for private and non-economic purposes
  • Is done solely for journalistic, artistic and/or academic purposes
  • Is conducted solely for the purposes of public safety, national defence, national security, or the investigation and prosecution of criminal offences
  • Originates outside of Brazil and is not subject to communication or sharing with Brazilian data processors or subject to international transfer to a country other than the country of origin (provided that the country of origin provides an adequate level of data protection

Consumer rights

To confirm whether their data is indeed being processed

Any data being processed about them

Of any incomplete, inaccurate or out-of-date data

Any unnecessary or excessive data or data processed in non-compliance with the LGPD should be anonymized, blocked or deleted.

Data should be portable to other service or product providers.

Of any data that was previously processed with the consent of the data subject. There are some exceptions to this as listed in Article 16 of the LGPD. These mainly relate to legal and regulatory obligations, research, transfer of data and exclusive use.

And which entities it has been shared with both private and public.

Should a data subject refuse to give consent what consequences may they face because of this.

As provided for in Article 8 of the LGPD, consent may be revoked at any time by express request of the data subject. This must be able to be done through a free of charge procedure.


Find out more about how Value Privacy can help your business stay on top of privacy laws.

You can also get in touch with us any time with any queries you have

Don’t forget you can keep up with us here as well

en_USEN