Brazil Privacy Law

Lei Geral de Proteção de Dados (General Data Protection Law) - Brazil

Overview and Scope

The Brazilian General Data Protection Act (in Portuguese, LGPD, Lei Geral de Proteção de Dados) establishes rules on collecting, handling, storing and sharing of personal data managed by organizations.

LPGD applies to any person or organization, regardless of where they are based or where the data is located, if one of the following conditions is met:

  1. The data processing takes place in Brazil.
  2. The data processing is related to the offering or provision of goods or services in Brazil, or the processing of data of individuals in Brazil.
  3. The personal data being processed was collected in Brazil.

According to Article 3(§1) of the LGPD, personal data collected in Brazil refers to data about individuals who were in Brazil at the time of collection.

Does it require providing a privacy notice?

Yes, in order to be LPGD compliant, the organisation must include the following in their notice:

  • the specific purpose of the processing;
  • the type of processing and the duration of the processing;
  • the identity and contact details of the data controller;
  • information about who the data is shared with and why;
  • the responsibilities of any processors or agents that will carry out the processing;
  • the applicable user rights and how they can be exercised.

Nature of consent under LPGD

Under the LGPD, consent must be “free, informed and unambiguous”. This means that the consent must not be coerced, the consenting action required of the user should be clear and users must be adequately informed before granting consent. Consent must also be provided for a specific purpose and it must always be possible for users to revoke/ withdraw consent.

What are the categories of sensitive personal data?

Personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious affiliation, or philosophical or political organisation membership, as well as data relating to health or sex life, or genetic or biometric data, when related to a natural person (Article 5(II) of LGPD).

What exemptions, if any, are there for academic research?

LPGD does not apply to data collected for academic research purposes. 

Does it require a data protection impact assessment or other category of risk assessment?

The national authority has the power to require the controller (the party responsible for collecting and processing data) to create a Data Protection Impact Assessment (DPIA) for their data processing operations, taking into consideration commercial and industrial secrecy. The DPIA should include a description of the types of data being collected, the method of collection, and an analysis of the measures and safeguards taken to ensure the security of the information. This is stated in Articles 10(§3º) and 38 of the Brazilian General Data Protection Law (LGPD).

Does it require appointing representative in Brazil?

No such requirement is stated.

How is it enforced?

The Brazilian National Data Protection Authority (ANPD) is the primary regulatory body for data protection in Brazil. It is a government agency under the President of the Republic and consists of:

  • A board of directors (the highest decision-making body)
  • The National Board of Personal Data Protection and Privacy
  • An internal affairs office
  • An ombudsman
  • A legal advisory body
  • Any other necessary administrative and specialized units

This is outlined in Article 55(C) of the LGPD.

What are the potential penalties?

Under the LGPD, the following sanctions may be imposed for non-compliance (Article 51 of the LGPD):

  1. Warnings, with a specified timeframe for the adoption of corrective measures
  2. Simple fines of up to 2% of the legal entity's, group's, or conglomerate's sales revenue in Brazil in the previous fiscal year (excluding taxes) with a maximum of BRL 50 million (approximately €9.6 million) per violation
  3. Daily fines, subject to the maximum limit in point 2
  4. Disclosure of the violation after it has been investigated and confirmed
  5. Blocking of the personal data in question until it is regularized
  6. Deletion of the personal data in question
  7. Partial suspension of the functioning of the databases related to the non-compliant action for up to six months, which can be extended for an additional six months
  8. Partial or total prohibition on activities related to data processing.