Inspired by the privacy-first approach of the European Union’s General Data Protection Regulation, Brazil introduced a data protection law of its own. The LGPD is a standout privacy law that offers protection for its users and takes a serious stance on data privacy.
In this guide, we’ll take a look at the LGPD in detail. We’ll take you through what it stands for, who it applies to, the main principles and rights, and your responsibilities as an organization.
What is the LGPD?
The Lei Geral de Proteção de Dados Pessoais (LGPD) is the Brazilian general data protection law, similar to the EU’s General Data Protection Regulation (GDPR). It was introduced in 2020 to give Brazilians greater rights over their personal information, and to place new responsibilities on organizations that collect and process it.
The LGPD places strict requirements on organizations that it applies to. They must demonstrate that they adhere to the principles of processing personal data, and have a legal basis for doing so. This helps protect the personal and sensitive information of Brazilians and makes everyone more aware of and responsible for data privacy.
While the LGPD was undoubtedly inspired by the GDPR, there are some areas where the two laws differ. For example, any organization that the LGPD applies to needs to hire a data protection officer — with the GDPR, this isn’t as strict. The LGPD also has more legal bases for processing than the GDPR, making it easier for organizations to find a suitable option.
Who Does the LGPD Apply To?
The LGPD doesn’t just apply to businesses that are based within Brazil. Like other privacy laws, the protection and regulations extend beyond the borders — if you process the personal data of the residents within.
In short, the LGPD applies in situations where one or more of the following are involved:
- Data collected within Brazil is processed in any location
- Data is processed within the territory of Brazil
- Data that concerns people located within Brazil is processed in any location
This means that if you are located within Brazil or do business with Brazil, it’s likely that the LGPD applies to your operations. Even if you don’t already have customers in Brazil, it makes sense to apply these principles anyway — you never know where your next customer will come from.
Exemptions from the LGPD
As with any law or regulation, there are exceptions. There are some situations in which the LGPD does not apply, even if the above can be satisfied.
Examples of situations in which the LGPD does not apply include where data is processed for:
- Private or non-commercial use
- Academic purposes
- Artistic or journalistic purposes
- Public safety, security, or national defence
- Investigation and prosecution of criminal offences
Sometimes it may be difficult to determine whether your business activity falls under an exemption or not. In these cases, it’s a good idea to check with a specialist or seek legal advice.
How the LGPD Defines Personal Data
The LGPD applies to the processing of personal data, and this definition is quite wide. Under the LGPD, personal data is defined as any data that relates to an identified or identifiable natural person.
Examples of personal data categories that could fall under this include:
- Mailing address
- Telephone number
- Email address
- IP address
- Location data
As well as personal data, the LGPD outlines a separate category of sensitive personal data. This category features information that is highly personal and sensitive and should be processed with greater care. Examples of sensitive data include race, religious beliefs, and biometric data.
Like many privacy laws, anonymized data is not considered to be personal data. There is an exception however if the anonymization process can be reversed with reasonable effort.
Organizations also need to consider whether other pieces of data can be combined to meet the definition of personal data above. In those cases, they should be mindful of processing it under the legislation’s principles.
Legal Basis for Processing Data
If the LGPD applies to your business’ activities, you’ll need to demonstrate a clear legal basis for processing in order to do so. Brazil's LGPD sets out ten legal bases for legal processing, which offers more scope and flexibility to organizations than the GDPR.
These legal bases for processing data, as defined in Article 7, are:
- With the consent of the data subject or user
- To comply with a regulatory or legal obligation required by the data controller
- To support the execution of public policies set out by law or in regulations (by the public administration)
- To carry out research studies (processors should anonymize data where possible)
- To fulfil a contract or the pre-contract procedures at the request of the user
- To aid the regular exercise of rights in administrative, arbitration, and judicial procedures
- To protect life or ensure physical safety, either of the user or a third party
- To protect the user’s health, when undergoing a procedure by a health professional
- To fulfil the legitimate interests of either the data controller or a third party, unless the user’s rights or freedoms should override this
- To provide for the protection of credit
You might find that you satisfy more than one legitimate basis for data processing activities. In most cases, for general business activity, you’ll want to seek consent or rely on your legitimate interests for processing data. Consent should be lawfully given, and should meet the following requirements:
- The user has given their consent freely
- They have been fully informed of what they are consenting to
- The consent is specific to a processing purpose
- The request for consent is shared in plain language and easy to understand
- The user’s consent can be easily withdrawn at any stage
One key area to note here is that consent should be given for a specific purpose. If you wish to use that personal data again for another purpose, you should seek consent for this further use. You should also make it easy for users to withdraw their consent. For example, if someone wishes to unsubscribe from your email newsletter, this should be as simple as the process to sign up in the first place.
What Rights Does the LGPD Introduce?
The LGPD seeks to give its protected users greater rights over how their personal data is processed and stored. This places control back in their hands and puts businesses under greater scrutiny than before.
Under Article 18 of the LGPD, individuals gain the right to:
- Confirm the existence of their data and that it’s being processed
- Be informed about any third parties that this data has been shared with
- Access their data
- Data portability
- Make changes to data which is incomplete or inaccurate
- Request the anonymization, deletion, or pause in use of data that isn’t being processed in accordance with the LGPD’s principles or is excessive
- Request the deletion of their data
- Information on how to remove consent, and the consequences of doing so
- Remove their consent for data processing
Often, users will make these requests by submitting a data subject access request. If you use a data privacy platform like Enzuzo, you can easily embed a form for this on your website. Once a user has submitted a request, an organization either needs to reply immediately with a simplified response — or send a clear and complete report within 15 days.
Users also have the opportunity to make a complaint about how a business is handling their personal data. They are free to submit a complaint to the National Data Protection Authority (DPA), in this case the Autoridade Nacional de Proteção de Dados (ANPD) and to have this complaint heard and actioned if required.
Your Responsibilities Under the LGPD
The LGPD doesn’t just give rights to Brazilians. It places responsibilities on organizations that the legislation applies to, in order to uphold those rights and aid the protection of personal data.
Here are the main responsibilities of businesses that fall under the scope of the LGPD.
Follow the Principles for Processing Data
You shouldn’t simply collect, process, and share personal data without giving it due thought. Instead, follow the LGPD’s principles for processing data, as outlined in Article 6, as follows:
- Purpose: Limit processing only for a specific, legitimate purpose — not general further processing
- Adequacy: Your data processing should be justified to be reasonably acceptable and not excessive
- Necessity: Only process the data which is necessary in order to complete the purpose of processing
- Transparency: Be clear about how and why you process data, and share this with your users
- Data quality: Ensure that the personal data you hold is accurate and up to date, or take steps to make this the case
- Free access: Provide a way for users to freely exercise their rights under the LGPD, and to do so free of charge
- Non-discrimination: You cannot process personal data for the purpose of discrimination
- Security: You and your data processors should have technical security and processes in place to safeguard personal data against unauthorized access, destruction, loss, or distribution
- Prevention: Seek to limit any potential damage caused when processing personal data
- Accountability: Be accountable and demonstrate your compliance with the LGPD
Build your processes and culture around the principles above and it’s much easier to not only stay compliant with the LGPD but other major privacy laws too — like the GDPR, Canada’s PIPEDA, or California’s CCPA. Having a thoughtful approach to data privacy and security is always the best way to protect your organization against any potential action.
Have a Data Protection Officer
Unlike the GDPR, every organization that falls under the scope of the LGPD must appoint a data protection officer (DPO). It’s the data protection officer’s responsibility to handle compliance at the organization.
The data protection officer’s role includes:
- Respond to messages, requests, and complaints from users
- Act as an advisor to employees, contractors, and third parties on data protection and processing guidance
- Adopt any relevant measures set out by the Data Protection Authority
- Perform any other relevant duties set out by their organization’s policies and rules
While this may feel like a burden for smaller organizations, the right processes and tools can help make this easier for the person that performs this role. Use tools like Enzuzo to simplify and streamline the data subject request process and help stay on top of compliance.
Only Make Allowed International Data Transfers
Under the LGPD, you cannot transfer data to another country unless certain conditions are met — to protect data privacy and uphold users’ rights fully. This means you should take care when selecting which third parties and software tools to use as part of your daily operations.
In order to transfer data internationally, the following conditions should be satisfied:
- The receiving country has an adequate level of data protection
- The company receiving the data is bound by contract or policy to provide a similar or greater level of protection than the LGPD
- An international agreement for data transfers exists between the Brazilian DPA and the DPA of the receiving country
- The user has given explicit consent for the data transfer to take place
These safeguards are in place to ensure not only the data security of users, but to help your organization stay compliant too. If the measures above can’t be met, it’d be wise to resolve these — or select a different contractor, software tool, or third-party provider.
Notify of Data Breaches
Like other data privacy laws, if a breach occurs there’s a requirement for organizations to report it under the LGPD. Any security incident or breach needs to be reported to the Data Protection Authority. There’s no timeframe given for this, only that it should be done within a “reasonable time period”.
Any data breach notification should provide key information to the DPA, to allow them to understand what’s happened. This should include a brief overview of the event, the personal data affected, potential risks, and any rectifications taken or future measures taken to ensure it doesn’t happen again.
What Happens if You Don’t Comply With the LGPD?
Although many organizations are happy to follow the rules and comply without potential enforcement, there needs to be a way for Data Protection Authorities to handle noncompliance and infractions. In the case of the LGPD, options include warnings, fines, and restrictions.
Fines for non-compliance of the LGPD can be up to 50 Million Brazilian reais (approximately $9.9 Million USD) or 2% of a company’s annual turnover. These fines are per violation.
Outside of fines, the Data Protection Authority also has other ways to address the situation. They can choose to either block or delete the personal data concerned, or suspend access to the database for a period of up to six months. This could have a potentially widespread impact on an organization’s business or marketing activities, so it’s essential that compliance is a top priority.
An Easier Way to Manage LGPD Compliance
With fines and restrictions looming as potential consequences of non-compliance, staying compliant with the LGPD is essential. Thankfully, it doesn’t have to be complicated.
Feature all the key sections that are required, including your contact information, which data is processed and how, third-party transfers, and how users can exercise their rights. Users can navigate the drop-down, section by section format with ease, and move straight to the information that’s most relevant to them at the time.
Manage Your Compliance From a User-Friendly Portal
With multiple privacy laws at play for most ecommerce businesses, keeping track of different deadlines for data subject requests can get challenging. It’s easy to miss a deadline if you’re working from a spreadsheet or non-specialized tool.
With Enzuzo, you’ll get access to an easy-to-use privacy portal. From here, you can view, action, and complete requests from users. You’ll also get notifications about upcoming deadlines, so it’s easier to complete them on time. Our platform also allows you to generate compliance reports, so you can demonstrate to the DPA or your users that you’re operating within the law.
Simplify Your LGPD Compliance
Privacy law compliance might seem out of reach or impossible, but there are ways to make it easier. Build an understanding of the LGPD’s key principles, user rights, and your responsibilities. Create policies and processes that help you achieve compliance, and invest in tools that simplify the process.