LGPD
What is LGPD?
The LGPD (Lei Geral de Proteção de Dados), or the Brazilian General Data Protection Law, is comprehensive legislation that safeguards the privacy and security of individuals in Brazil. It is Brazil’s equivalent to the EU’s GDPR and is designed to regulate the collection, use, processing, and storage of personal data by organizations in Brazil.
Overview of LGPD
- Law: Brazilian General Data Protection Law
- Region: Brazil
- Signed On: 14-08-2018
- Effective Date: 18-08-2020
- Industry: All industries that do business in Brazil
Personal Data Under the LGPD
LGPD protects two data types in Brazil: personal and sensitive.
|
---|
Data Protection Principle
The law outlines eight fundamental principles governing data processing:
- Transparency: Be clear and specific about the data collection and processing purpose.
- Purpose limitation: Collect and process data only for the stated purposes and avoid further processing that is incompatible with those purposes.
- Data minimization: Collect and process only the minimum personal data necessary for the intended purpose.
- Accuracy: Ensure data accuracy and completeness, rectifying errors promptly.
- Security: Implement adequate technical and organizational measures to protect data from unauthorized access, accidental destruction, or alteration.
- Retention limitation: Retain data only for the necessary period to fulfill the processing purpose unless required by law.
- Data transfer: Ensure secure and responsible transfers of personal data outside Brazil, complying with legal requirements.
- Accountability: Demonstrate compliance with the principles and be accountable for personal data processing.
Rights Under LGPD
- Right to access
- Right to rectification
- Right to erasure
- Right to portability
- Right to object
- Right to information about automated decision-making
Who Needs to Comply with LGPD?
Organizations based in Brazil
Foreign organizations
|
---|
Key Exceptions
- Processing for journalistic, artistic, or academic purposes, subject to specific conditions.
- Security incident exemption for non-personal data or low risk.
- Specific rules for public authorities and anonymized data processing.
Compliance Authority for LGPD
As of February 2024, the National Data Protection Authority (ANPD) still needs to be fully operational and enforce the LGPD. However, it plays a crucial role in promoting compliance by:
- Developing and publishing guidelines and directives related to data protection practices.
- Educating organizations and individuals about their rights and obligations under the LGPD.
- Conducting public consultations on legislative changes and regulatory updates.
- Preparing for future enforcement responsibilities.
Regulatory Penalties
Financial Penalties:
Non-financial Penalties:
|
---|
In conclusion, LGPD (Lei Geral de Proteção de Dados) marks a pivotal development in Brazil’s data protection landscape, mirroring global efforts to fortify individuals’ privacy rights in an increasingly digital world. By aligning with transparency, accountability, and data subject rights principles, LGPD fosters trust between businesses and consumers and underscores the nation’s commitment to upholding robust data protection standards. Organizations can ensure compliance with LGPD while maintaining data usability for legitimate purposes by implementing data security solutions like data masking.
FAQs
How does LGPD define personal data?
LGPD defines personal data as any information related to an identified or identifiable individual, including but not limited to name, identification numbers, location data, and online identifiers.
Does LGPD apply to data processing activities outside Brazil?
Yes, LGPD applies to the processing of personal data carried out in Brazil, regardless of where the data controller is located, if the data processing activities are directed at individuals in Brazil, or if the data is collected in Brazil.
When did LGPD come into effect?
September 18, 2020.