The General Data Protection Law (LGPD) is Law No. 13,709, enacted on August 14, 2018. It governs the processing of personal data in Brazil and aims to protect fundamental rights of freedom, privacy, and the free development of individuals. The law applies to any data processing operation carried out within Brazilian territory, regardless of the nationality or location of the company, as long as the processing occurs in Brazil.
Principles and Rights in the LGPD
Principles
The LGPD is based on key principles, including:
- Purpose: Processing must be carried out for legitimate, specific, and informed purposes.
- Adequacy: The processing must be compatible with the stated purpose.
- Necessity: Processing should be limited to the minimum necessary to achieve the purpose.
- Free Access: Data subjects must have easy access to their personal data and information about its processing.
- Data Quality: Accuracy, clarity, relevance, and up-to-date status must be ensured.
- Transparency: Clear, precise, and accessible information must be provided about the processing.
- Security: Technical and administrative measures must be taken to protect personal data.
- Prevention: Steps should be taken to prevent damage due to data processing.
- Non-discrimination: Data processing must not be used for discriminatory purposes.
- Accountability: Entities must demonstrate compliance with data protection rules and readiness to remedy any harm.
Data Subject Rights
According to Article 18 of the LGPD, data subjects have the right, at any time and upon request, to:
- Confirm whether their data is being processed;
- Access their personal data;
- Correct incomplete, inaccurate, or outdated data;
- Anonymize, block, or delete unnecessary or non-compliant data;
- Transfer their data to another service or product provider;
- Delete data processed with their consent;
- Know with whom their data has been shared;
- Withdraw consent, as provided in Article 8.
Processing Agents and Responsibilities
The LGPD defines three key processing agents in Article 5:
- Controller: The entity that makes decisions about the processing of personal data.
- Processor: The party that processes data on behalf of the controller.
- Data Protection Officer (DPO): The liaison between the controller, data subjects, and the National Data Protection Authority (ANPD).
Compliance and Penalties
- Record-keeping: Controllers and processors must document their data processing activities (Article 37).
- Data Protection Impact Assessments: The ANPD may require impact assessments (Article 38).
- Administrative Sanctions (Article 52): These range from warnings to fines of up to 2% of a company’s revenue, limited to BRL 50 million per violation, and may include daily fines, public disclosure of the violation, and blocking or deletion of data.
History of the LGPD
- Early Proposals: The first formal bill on data protection, Bill 4060/2012, was introduced on June 28, 2012.
- Marco Civil da Internet: Enacted on April 23, 2014, as Law No. 12,965/2014, this law laid foundational principles for internet use and digital privacy in Brazil.
- Approval and Publication: The LGPD was sanctioned on August 14, 2018, and published the next day in the Official Gazette.
- Vacatio Legis: The law had an 18-month grace period and came into force on August 16, 2020.
- Sanctions: These became enforceable starting August 1, 2021.
- Creation of ANPD: The National Data Protection Authority was established by Provisional Measure 869/2018, later converted into Law No. 13,853/2019. The authority began operations in November 2020.
Sources: justbrasil
