Data Advocacy for Brazil

Back to data advocacy list

After several discussions and postponements, the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, entered into force on September 18, 2020. The LGPD is Brazil’s first comprehensive data protection regulation, and it broadly aligns with the EU General Data Protection Act (GDPR).

Although the law has been in force since 2020, the penalties issued by the LGPD only became enforceable on August 1, 2021. However, public authorities (such as consumer protection bodies and public prosecutors) and data subjects could enforce their rights under the LGPD as of September 18, 2020.

There is currently no requirement to register with the National Data Protection Authority under Brazilian law.

The LGPD creates the position of Chief of Data Processing, which is the data protection officer (DPO) in charge of data processing operations. The DPO is responsible for the following:

  • Accepting complaints and communications from data subjects and the National Authority
  • Providing guidance to employees about good practices and carrying out other duties as determined by the controller or set forth in complementary rules

There is no prohibition against companies using an external DPO or against DPOs performing the same function for more than one company simultaneously. Likewise, the LGPD does not distinguish whether the DPO must be an individual or a legal entity.

Under the LGPD, collecting and processing are referred to as “data treatment”, and defined as all operations carried out with personal data, such as:

  • Collection
  • Production
  • Reception
  • Classification
  • Utilization
  • Access
  • Reproduction
  • Transmission
  • Distribution
  • Processing
  • Filing
  • Storage
  • Elimination
  • Evaluation
  • Control
  • Modification
  • Communication
  • Transfer
  • Diffusion, or
  • Extraction

The processing of personal data may only be carried out based on one of the following legal bases:

With data subject consent

  • To comply with a legal or regulatory obligation by the controller
  • By the public administration for the processing and shared use of data that are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
  • For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
  • For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party
  • For the regular exercise of rights in judicial, administrative or arbitration procedures
  • As necessary for the protection of life or physical safety of the data subject or a third party
  • For the protection of health, exclusively in a procedure carried out by health professionals, health services or sanitary authorities
  • To fulfill the legitimate interests of the controller or a third party, except in the case of prevailing the fundamental rights and freedoms of the data subject, and
  • For the protection of credit

Notwithstanding the above, personal data processing must be carried out in good faith and based on the following principles:

  • Purpose
  • Suitability
  • Necessity
  • Free access
  • Quality of the data
  • Transparency
  • Security
  • Prevention
  • Nondiscrimination, and
  • Accountability

The controller and operator must keep records of the data processing operations they carry out, mainly when the processing is based on legitimate interest.

In this sense, the ANPD may determine that the controller must prepare an Impact Report on the Protection of Personal Data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.

The LGPD defines personal data as any information related to an identified or identifiable natural person.

Anonymized data is not considered personal data, except when the process of anonymization has been reversed or if it can be reversed, applying reasonable efforts.

Can you Process sensitive data?

The LGPD defines sensitive personal data as any personal data concerning:

Racial or ethnic origin
Religious belief
Political opinion
Trade union
Religious, philosophical or political organization membership
Health or sex life
Genetic or biometric data

The transfer of personal data to other jurisdictions is allowed only subject to compliance with the requirements of the LGPD. Prior specific and informed consent is needed for such transfer unless:

  • The transfer is to countries or international organizations with an adequate level of protection of personal data.
  • There are adequate guarantees of compliance with the principles and rights of data subjects provided by LGPD, in the form of
  • Specific contractual clauses for a given transfer
  • Standard contractual clauses
  • Global corporate norms, or
  • Regularly issued stamps, certificates, and codes of conduct
  • The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies
  • The transfer is necessary to protect the life or physical safety of the data subject or a third party
  • The ANPD has provided authorization
  • The transfer is subject to a commitment undertaken through international cooperation.
  • The transfer is necessary for the execution of a public policy or legal attribution of public service.
  • The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures.

According to the LGPD, any unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or diffusion is considered a breach. The controller is responsible for reporting to ANPD and the data subject within a reasonable timeframe if the breach is likely to result in risk or harm to data subjects. The LGPD itself does not set a specific deadline for notifying the ANPD in the event of security incidents. However, according to guidance published by the National Authority on February 22, 2021, the communication must be made within two (2) working days, counted from the date of receiving knowledge of the incident.

An additional recommendation, which is not legally required, is to implement contractual clauses establishing the obligations regarding notification of breaches between controllers and processors, seeking to expedite the assessment and minimize the risks to the data subjects.

Brazil has no specific law regulating electronic marketing communications.

Cookies and location data are associated with a natural person, their collection should also observe the same obligations provided by the Brazilian data protection law. However, the obligation does not apply to anonymized data, which is not considered personal data under the LGPD unless the process of anonymization has been reversed or can be reversed using reasonable efforts.

Will be needed a proper legal basis is needed when using cookies and similar technologies that involve the processing of a user’s personal data from (e.g., the information is linked or linkable to a particular user, IP address, a device, or other particular identifier). Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case: the data subject’s consent or the controller’s legitimate interest (in the case of essential cookies, for example)

The LGPD provides for penalties in case of violations of its provisions. Data processing agents that commit infractions can be subject to administrative sanctions, in a gradual, single, or cumulative manner, including a fine, simple or daily, of up to 2% of the revenues of a private legal entity, group or conglomerate in Brazil, up to a total maximum of R$50 million per infraction.

Exceptions to the obligation to remedy a violation exist only if:

  1. The agent (i.e., controller or the processor) did not carry out the data processing
  2. There was no violation of the data protection legislation in the processing, or
  3. The damage arises due to the exclusive fault of the data subject or a third party

The LGPD established the National Data Protection Authority (ANPD). On October 25, 2022, Law 14,460/2022 was published, altering ANPD’s role into a special and independent autarchic regime with administrative and budgetary autonomy as opposed to linking the ANPD to the Presidency of the Republic. The   ANPD is also given technical and decision-making autonomy with jurisdiction over the Brazilian territory. In addition, the ANPD will have its own appointed public attorneys, which enables the National Authority to independently take judicial measures that it deems appropriate.