On September 18, 2020, Brazil’s first comprehensive personal data protection law went into effect: A Lei Geral de Proteção de Dados Pessoais, or the LGPD.  The LGPD expands on earlier sectoral laws that introduced oversight over data processing activities in Brazil.   

The LGPD is similar to other existing global data protection regulations, as it establishes and protects the rights and freedoms of individuals and provides increased transparency to its covered data subjects. The law covers the activities of data controllers and processors and creates requirements in how they interact with personal data.  Enforcement of the law by the National Data Protection Authority (ANPD) began on August 1, 2021.  Read this guide to learn the scope of the LGPD, who's covered by the law and what their obligations are, as well as key compliance areas.   

How does the LGPD compare to the GDPR?   

The European Union’s (EU) General Data Protection Regulation (GDPR) has, over time, acted as a reference point for many other countries which have been seeking to adopt or amend their own laws. When looking at both laws, it’s clear that there are several similarities between the two, though important differences should also be noted.

Among the similarities, each law provides several rights to data subjects, have similar definitions of sensitive personal data, and require data controllers and data processors to maintain records and conduct data protection impact assessments (DPIAs). Significantly, the two laws also apply extra-territorially, meaning that companies which are not based within the jurisdiction could also be subject to the laws’ requirements.

However, there are also key differences between the GDPR and LGPD. Under the GDPR, both controllers and processors are required to appoint a data protection officer (DPO) under certain circumstances, whereas the LGPD only explicitly covers such appointment for controllers. The GDPR specifies six bases that support legal data processing; the LGPD goes further and lists ten. Additionally, there are important differences in timeframes that organizations should bear in mind, such as when you should respond to a data subject’s request for access.   

Personal data under the LGPD  

Personal data

The definition of personal data under the LGPD characterizes it in a broad sense as data that by itself, or in combination with other data, could be used to identify the citizen or citizens who generated it or are associated with it.   

Sensitive data  

The LGPD defines 'sensitive data' as personal data on racial or ethnic origin, religious belief, political opinion, union membership or religious, philosophical or political organization, health or sexual life, genetic or biometric data, when connected to a natural person.  

Data subject rights under the LGPD  

The LGPD establishes the fundamental rights of data subjects:  

1. Right to confirmation of the existence of processing  
2. Right to access  
3. Right to correct incomplete, inaccurate, or outdated personal data  
4. Right to anonymize, block, or delete unnecessary or excessive data or data not processed in compliance with the LGPD  
5. Right to the portability of data, the transfer of personal data to another service or product provider through an express request  
6. Right to deletion  
7. Right to revoke consent   
8. Right not to be subject to automated decision-making  

Does the LGPD apply to your organization?   

You must examine the law's territorial and material scope to determine whether the LGPD covers your organization.    

Territorial scope of the LGPD  

The LGPD applies to data processing operations carried out in Brazil. Brazil's data privacy law applies, irrespective of the location of an entity's headquarters, or the location of the data being processed, if the data being processed belongs to individuals located in Brazil or if the personal data being processed was collected in Brazil. Data collected in Brazil is defined as data belonging to a data subject who was in Brazil at the time of collection.  

The LGPD also applies, irrespective of the location of an entity's headquarters, or the location of the data being processed, if the purpose of an entity's processing activity is to offer or provide goods or services to individuals located in Brazil.  

Material scope of the LGPD  

The LGPD applies to the processing of personal data carried out by a natural person or by a public or private legal entity.   

The LGPD's material scope comes with a few exceptions:  

• Processing activities and the use of personal data for private and non-economic activities  
• Journalistic or artistic purposes  
• Specific academic reasons  
• Purposes of public safety, state security, national defense, or investigation  
• Personal data processing activities outside Brazil governed by other global protection laws deemed adequate by the LGPD   

Principles of processing data as defined by the LGPD  

Under the LGPD, the processing of personal data should be done in good faith, and in accordance with a number of principles; another feature of the law that bears a strong resemblance to the GDPR.   

• Purpose: The data controller must establish a purpose for processing that is legitimate, specific, explicit, and well-communicated. Processing for additional purposes is non-compliant unless the data subject consents to them.   
• Adequacy: The data and processing activities must be justifiable and align with these purposes.   
• Necessity: Those familiar with the GDPR will recognize this principle: data controllers must practice data minimization.   
• Free access: Data controllers must allow data subjects to exercise their rights afforded by the LGPD by providing free and easy access to their personal data.   
• Data quality: Data controllers must guarantee that processed data is accurate, up-to-date, and relevant to justify processing.  
• Transparency: Data controllers must provide accurate, accessible, and clear notices to users about data processing, including information about the third parties with access to their personal data.   
• Security: Data controllers and processors must enact strict security practices to protect data subjects from unauthorized access, accidental or unlawful destruction, misplacement, changes, and unauthorized communication or sharing.  
• Prevention: Data controllers and processors have to implement preventative technical and organizational measures to reduce or remove the possibility of damages caused by data processing.   
• Non-discrimination: Using data processing for discriminatory purposes is unlawful under any circumstances.   
• Accountability: Data controllers must comply with the law and have proof of such.  

Legal bases for processing data under the LGPD   

You must justify your personal data processing activities with at least one of the LGPD's ten legal bases.    

1. Free, informed, and unambiguous consent of the data subject  
2. Compliance with a legal or regulatory obligation
3. For public administration, when necessary for carrying out public policies supported by laws, regulations, or contracts
4. Conducting studies via research bodies
5. Fulfilling a contractual agreement that involves the data subject
6. Exercising rights in judicial, administrative, or arbitration proceedings
7. Protecting life and physical safety
8. Protecting health during a procedure performed by medical or health professionals
9. Legitimate interests of the data controller or third party, except when a data subject's interests, rights, and freedoms supersede them
10. For credit protection

There is no hierarchy among these ten legal bases.  

For processing sensitive data, the LGPD provides six legal bases.   

1. When the data subject or their legal representative consents, specifically and distinctly, in a separate manner, for specific purposes  
2. Where necessary for compliance with a legal or regulatory obligation by the controller  
3. Where necessary for the protection of the life or physical safety of the data subject or third party
4. Where necessary for the regular exercise of rights, including in contract and in judicial, administrative and arbitration proceedings  
5. Shared processing of data necessary for the execution, by the Government, of public policies provided for in laws or regulations  
6. ‘Health protection,' in a procedure conducted by health professionals, and by health entities (e.g. agencies responsible for protecting the public health), or a procedure performed in the context of health services

Controller and processor obligations under the LGPD  

A controller is a person or organization that makes decisions about any kind of personal data to be processed, whilst a processor is a person or legal entity that processes data for a controller.  

The LGPD requires that controllers and processors enter into a binding contract any time personal data is going to be processed. Controllers are limited to processors that can demonstrate they are capable of fulfilling the requirements of the LGPD.   

This contract must define in specific terms the subject matter, duration, nature, and purpose of the processing, as well as the type of data, the categories of data subjects, and the obligations/rights of the controller. It may also include provisions concerning legal liability, unusual security provisions, and controller/processor collaboration details.  

Controllers and processors are also obligated to meet LGPD requirements in several other areas, including the protection of personal data, such as data security, data confidentiality, and record-keeping. It’s important to note that when controllers and processors transfer Brazilian citizens’ data outside Brazil, they must protect it in the same way it was protected inside Brazil. Also, entities must notify the Autoridade Nacional de Proteção de Dados (ANPD) expediently of any type of data breach or security incident around personal data. Controllers are also required to appoint a Data Protection Officer for their organization.  

Fines and enforcement 

Non-compliance with these requirements can result in penalties, including government-imposed fines (these are generally not as severe GDPR penalties) and remediation mandated by Brazilian law.  

The LGPD introduced novel requirements for covered organizations doing business in Brazil. To avoid fines of up to 2% of revenue in Brazil, up to a maximum of R$ 50M per violation, entities must align their existing data privacy and security efforts with the particulars of this law.   

LGPD compliance summarized  

Below, we've summarized the most important takeaways for businesses building their LGPD compliance program from scratch:    

1. Individuals have several rights under the LGPD related to their data. They are similar to those under the GDPR.   
2. The law's extraterritorial scope covers organizations outside Brazil that provide goods and services to Brazilian citizens and residents.    
3. You must identify with at least one of the ten lawful bases for personal data processing, and one of six in the case of sensitive data.   
4. Establishing a data subject access request (DSAR) program will be critical to respecting user rights.   
5. Companies must appoint a Data Protection Officer.   
6. Data transfers outside Brazil must maintain the same level of protection used within the country.  
7. Entities must submit data breach notifications expediently to the ANPD.   

Follow OneTrust DataGuidance on LinkedIn to keep up to date with the latest regulatory news, webinars, and resources