Data Privacy in Brazil

Brazil’s Lei Geral de Proteção de Dados (LGPD)

LGPD was passed in 2018 but didn’t go into effect until September 2020 and is the world’s third largest data privacy regulation, standing as the key regulation related to data privacy in Brazil. It takes inspiration from GDPR and CCPA but enforces less severe violation penalties. LGPD is modeled to protect data-holder rights, as well as ensure ethical data extraction and transfer. Companies that collect data while in Brazil and companies outside the country extracting data from Brazil must comply with LGPD. The statutory law on data privacy in Brazil is authorized by the National Data Protection Authority in the Federal Republic of Brazil.

Why LGPD Is So Important

Brazil has more than 138 million online users. It’s the largest internet-consuming market in Latin America. Data privacy in Brazil with LGPD unifies 40 pre-existing privacy laws, helping to refine its privacy protection laws for the safety of its people and businesses.

What’s Included in LGPD

LGPD contains 65 distinct data protection and processing articles divided across 10 chapters:

  • Chapter 1 includes preliminary provisions (Articles 1 – 6)
  • Chapter 2 deals with the processing of personal data (Articles 7 – 16)
  • Chapter 3 defines the data subject’s rights (Articles 17 – 22)
  • Chapter 4 states the rules and accountability related to processing activities (Articles 23 – 32)
  • Chapter 5 relates to international data transfer (Articles 33 – 36)
  • Chapter 6 deals with personal data processing agents (Articles 37 – 45)
  • Chapter 7 encompasses safety and good practices (Articles 46 – 51)
  • Chapter 8 defines administrative sanctions enforced to enable monitoring (Articles 52 – 54)
  • Chapter 9 covers the National Data Protection Authority (ANPD) and National Data Protection Council and Privacy (Articles 55 – 59)
  • Chapter 10 lists final and transitional provisions (Articles 60 – 65)

Consumer/Subject Rights under LGPD

Article 18 outlines basic online consumer/subject rights in front of the controller, including:

  • Right to meaningful notice
  • Right to know from businesses what data is being processed
  • Right to modify incorrect or incomplete personal data
  • Right to a copy of existing data from a data processing system
  • Right to block/anonymize/delete non-compliant personal data
  • Right to delete their personal data
  • Right to explicitly consent to personal data collection and what the consequences for denying consent will be
  • Right to revoke consent

Protection Eligibility under LGDP

Article 3 talks about the application of data within the geographical boundaries of Brazil:

  • There may be any data exchange for business purposes, i.e. selling/buying products or services in Brazil.
  • Whoever resides in Brazil and exchanges data for business and other purposes is protected under this Act.
  • The entire exchange of data in and outside Brazilian borders might be by any person, business entity, group, or association. All such parties must consider the subjection of LGPD while storing, processing, and exchanging data.
  • The business is not required to have a physical HQ in Brazil. The only thing required for protection under LGPD is that the data’s subject be in Brazil.

About Consent

  • Article 5 considers consent as an unambiguous, free, or informed expression. The data subject must agree to this expression that implies and confirms their cases of processing the given data for a well-defined purpose.
  • Article 8 mandates obtaining, or re-obtaining if need be, proof of consent. This article also states that the data processor must have a revocation slip if the consent is revoked.

LGPD Exceptions

Article 4 defines situations when or where LGPD does not apply. This includes when personal data gets handled or processed by:

  • A natural person for non-economic or private goals
  • Journalists, artists, or academia for their professional purposes
  • Exclusive purpose for national defense, public safety, legal investigation, state security, and prosecution of criminal offenses
  • Outside Brazil’s defined geographical boundaries, not shared with Brazilian subjects, and exchanged communication with other countries. (However, the data’s point of origin must still have a data protection law there.)

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

Ready to get started?

Request a demo