Lei Geral de Proteção de Dados Pessoais (LGPD)

Lei Geral de Proteção de Dados Pessoais (LGPD)

The Lei Geral de Proteção de Dados Pessoais (LGPD) is a comprehensive data protection law in Brazil that came into effect on September 18, 2020. It is similar to the European Union's General Data Protection Regulation (GDPR) and is designed to protect the privacy and personal data of Brazilian citizens.

The LGPD applies to any company or organization that processes personal data in Brazil, regardless of where the company is located. It grants individuals the right to access, correct, delete, and object to the use of their personal data. Companies must obtain explicit consent from individuals before collecting, using, or sharing their personal data, and must inform individuals of their rights under the LGPD.

Under the LGPD, companies are required to implement data protection measures and appoint a Data Protection Officer (DPO) to oversee compliance with the law. Companies must also report data breaches to the National Data Protection Authority (ANPD) and affected individuals within a specified timeframe.

Non-compliance with the LGPD can result in fines of up to 2% of the company's revenue in Brazil, limited to a maximum of 50 million Brazilian Reais per violation. Companies that operate in Brazil or process personal data of Brazilian citizens should take steps to comply with the LGPD to avoid potential penalties and reputational damage.

Timeline of the LGPD

The Lei Geral de Proteção de Dados Pessoais (LGPD) has gone through several stages and updates since it was first introduced. Here is a brief timeline of the LGPD:

  • August 14, 2018 - The LGPD is signed into law by Brazilian President Michel Temer.
  • August 2020 - The LGPD goes into effect, with enforcement initially scheduled to begin in February 2021.
  • September 1, 2020 - The Brazilian Congress approves Provisional Measure 959, which postpones the enforcement of some aspects of the LGPD until May 2021.
  • September 18, 2020 - The LGPD officially goes into effect, with enforcement postponed until August 2021 due to the COVID-19 pandemic.
  • May 3, 2021 - The ANPD begins enforcing the LGPD.

Guide to LGPD Compliance

If you are a company that collects personal data of Brazilian citizens, here are some steps you can take to ensure that you are LGPD compliant:

  1. Understand what personal data you collect: Create an inventory of the personal data you collect, where it is stored, and how it is used. This includes information such as name, address, email address, phone number, social security number, IP address, geolocation data, and browsing history.
  2. Provide notice to individuals: Create a privacy policy that explains your data collection practices and provide a notice at or before the point of collection. The notice must include the categories of personal data you collect, the purposes for which the data is used, and the categories of third parties with whom the data is shared.
  3. Obtain explicit consent: Obtain explicit consent from individuals before collecting, using, or sharing their personal data.
  4. Appoint a Data Protection Officer (DPO): Appoint a DPO to oversee compliance with the LGPD and serve as a point of contact with the National Data Protection Authority (ANPD).
  5. Implement data protection measures: Implement reasonable security measures to protect personal data from unauthorized access, use, disclosure, and destruction. This includes encryption, access controls, and regular security audits.
  6. Respond to data subject requests: Develop processes for individuals to request access to, correction of, deletion of, and the ability to object to the use of their personal data.
  7. Report data breaches: Report data breaches to the ANPD and affected individuals within a specified timeframe.

Following these steps can help ensure that your company is LGPD compliant and avoid potential fines for non-compliance.

This document was last updated on April 19, 2023