Inspired by the privacy-first approach of the European Union’s General Data Protection Regulation, Brazil introduced a data protection law of its own. The LGPD is a standout privacy law that offers protection for its users and takes a serious stance on data privacy.
In this guide, we’ll take a look at the LGPD in detail. We’ll take you through what it stands for, who it applies to, the main principles and rights, and your responsibilities as an organization.
The Lei Geral de Proteção de Dados Pessoais (LGPD) is the Brazilian general data protection law, similar to the EU’s General Data Protection Regulation (GDPR). It was introduced in 2020 to give Brazilians greater rights over their personal information, and to place new responsibilities on organizations that collect and process it.
The LGPD places strict requirements on organizations that it applies to. They must demonstrate that they adhere to the principles of processing personal data, and have a legal basis for doing so. This helps protect the personal and sensitive information of Brazilians and makes everyone more aware of and responsible for data privacy.
While the LGPD was undoubtedly inspired by the GDPR, there are some areas where the two laws differ. For example, any organization that the LGPD applies to needs to hire a data protection officer — with the GDPR, this isn’t as strict. The LGPD also has more legal bases for processing than the GDPR, making it easier for organizations to find a suitable option.
The LGPD doesn’t just apply to businesses that are based within Brazil. Like other privacy laws, the protection and regulations extend beyond the borders — if you process the personal data of the residents within.
In short, the LGPD applies in situations where one or more of the following are involved:
This means that if you are located within Brazil or do business with Brazil, it’s likely that the LGPD applies to your operations. Even if you don’t already have customers in Brazil, it makes sense to apply these principles anyway — you never know where your next customer will come from.
As with any law or regulation, there are exceptions. There are some situations in which the LGPD does not apply, even if the above can be satisfied.
Examples of situations in which the LGPD does not apply include where data is processed for:
Sometimes it may be difficult to determine whether your business activity falls under an exemption or not. In these cases, it’s a good idea to check with a specialist or seek legal advice.
The LGPD applies to the processing of personal data, and this definition is quite wide. Under the LGPD, personal data is defined as any data that relates to an identified or identifiable natural person.
Examples of personal data categories that could fall under this include:
As well as personal data, the LGPD outlines a separate category of sensitive personal data. This category features information that is highly personal and sensitive and should be processed with greater care. Examples of sensitive data include race, religious beliefs, and biometric data.
Like many privacy laws, anonymized data is not considered to be personal data. There is an exception however if the anonymization process can be reversed with reasonable effort.
Organizations also need to consider whether other pieces of data can be combined to meet the definition of personal data above. In those cases, they should be mindful of processing it under the legislation’s principles.
If the LGPD applies to your business’ activities, you’ll need to demonstrate a clear legal basis for processing in order to do so. Brazil's LGPD sets out ten legal bases for legal processing, which offers more scope and flexibility to organizations than the GDPR.
These legal bases for processing data, as defined in Article 7, are:
You might find that you satisfy more than one legitimate basis for data processing activities. In most cases, for general business activity, you’ll want to seek consent or rely on your legitimate interests for processing data. Consent should be lawfully given, and should meet the following requirements:
One key area to note here is that consent should be given for a specific purpose. If you wish to use that personal data again for another purpose, you should seek consent for this further use. You should also make it easy for users to withdraw their consent. For example, if someone wishes to unsubscribe from your email newsletter, this should be as simple as the process to sign up in the first place.
The LGPD seeks to give its protected users greater rights over how their personal data is processed and stored. This places control back in their hands and puts businesses under greater scrutiny than before.
Under Article 18 of the LGPD, individuals gain the right to:
Often, users will make these requests by submitting a data subject access request. If you use a data privacy platform like Enzuzo, you can easily embed a form for this on your website. Once a user has submitted a request, an organization either needs to reply immediately with a simplified response — or send a clear and complete report within 15 days.
Users also have the opportunity to make a complaint about how a business is handling their personal data. They are free to submit a complaint to the National Data Protection Authority (DPA), in this case the Autoridade Nacional de Proteção de Dados (ANPD) and to have this complaint heard and actioned if required.
The LGPD doesn’t just give rights to Brazilians. It places responsibilities on organizations that the legislation applies to, in order to uphold those rights and aid the protection of personal data.
Here are the main responsibilities of businesses that fall under the scope of the LGPD.
You shouldn’t simply collect, process, and share personal data without giving it due thought. Instead, follow the LGPD’s principles for processing data, as outlined in Article 6, as follows:
Build your processes and culture around the principles above and it’s much easier to not only stay compliant with the LGPD but other major privacy laws too — like the GDPR, Canada’s PIPEDA, or California’s CCPA. Having a thoughtful approach to data privacy and security is always the best way to protect your organization against any potential action.
Unlike the GDPR, every organization that falls under the scope of the LGPD must appoint a data protection officer (DPO). It’s the data protection officer’s responsibility to handle compliance at the organization.
The data protection officer’s role includes:
While this may feel like a burden for smaller organizations, the right processes and tools can help make this easier for the person that performs this role. Use tools like Enzuzo to simplify and streamline the data subject request process and help stay on top of compliance.
Under the LGPD, you cannot transfer data to another country unless certain conditions are met — to protect data privacy and uphold users’ rights fully. This means you should take care when selecting which third parties and software tools to use as part of your daily operations.
In order to transfer data internationally, the following conditions should be satisfied:
These safeguards are in place to ensure not only the data security of users, but to help your organization stay compliant too. If the measures above can’t be met, it’d be wise to resolve these — or select a different contractor, software tool, or third-party provider.
Like other data privacy laws, if a breach occurs there’s a requirement for organizations to report it under the LGPD. Any security incident or breach needs to be reported to the Data Protection Authority. There’s no timeframe given for this, only that it should be done within a “reasonable time period”.
Any data breach notification should provide key information to the DPA, to allow them to understand what’s happened. This should include a brief overview of the event, the personal data affected, potential risks, and any rectifications taken or future measures taken to ensure it doesn’t happen again.
Although many organizations are happy to follow the rules and comply without potential enforcement, there needs to be a way for Data Protection Authorities to handle noncompliance and infractions. In the case of the LGPD, options include warnings, fines, and restrictions.
Fines for non-compliance of the LGPD can be up to 50 Million Brazilian reais (approximately $9.9 Million USD) or 2% of a company’s annual turnover. These fines are per violation.
Outside of fines, the Data Protection Authority also has other ways to address the situation. They can choose to either block or delete the personal data concerned, or suspend access to the database for a period of up to six months. This could have a potentially widespread impact on an organization’s business or marketing activities, so it’s essential that compliance is a top priority.
With fines and restrictions looming as potential consequences of non-compliance, staying compliant with the LGPD is essential. Thankfully, it doesn’t have to be complicated.
Feature all the key sections that are required, including your contact information, which data is processed and how, third-party transfers, and how users can exercise their rights. Users can navigate the drop-down, section by section format with ease, and move straight to the information that’s most relevant to them at the time.
With multiple privacy laws at play for most ecommerce businesses, keeping track of different deadlines for data subject requests can get challenging. It’s easy to miss a deadline if you’re working from a spreadsheet or non-specialized tool.
With Enzuzo, you’ll get access to an easy-to-use privacy portal. From here, you can view, action, and complete requests from users. You’ll also get notifications about upcoming deadlines, so it’s easier to complete them on time. Our platform also allows you to generate compliance reports, so you can demonstrate to the DPA or your users that you’re operating within the law.
Privacy law compliance might seem out of reach or impossible, but there are ways to make it easier. Build an understanding of the LGPD’s key principles, user rights, and your responsibilities. Create policies and processes that help you achieve compliance, and invest in tools that simplify the process.