Lei Geral de Proteção de Dados Pessoais (LGPD or General Personal Data Protection Law) is Brazil’s data protection and privacy law that is closely modeled on the General Data Protection Regulation (GDPR) in the European Union. LGPD was passed by the National Congress of Brazil on July 10, 2018, in an effort to unify and enhance 40+ data privacy instruments within the country into a single piece of legislation. LGPD went into effect on September 18, 2020. Like the GDPR, the law impacts global organizations beyond Brazil’s borders.
The extent to which LGPD applies to your organization will depend on the specific nature of your business, so you should always seek skilled legal counsel to help you navigate compliance requirements. However, if your organization does business in Brazil or collects/processes the data of any individual within Brazil, you should familiarize yourself with LGPD’s requirements (summarized below) to understand what impact these regulations may have on you.
The following information is not intended as legal advice, and readers should consult with their attorneys about matters of compliance.
LGPD was passed to demonstrate and protect individuals’ right to privacy. Despite Brazil being Latin America’s technology leader and one of the top 10 tech markets in the world, its data protection laws have failed to keep pace with this technological growth. As a side-effect of that rapid growth, Brazil has experienced a number of recent high-profile data breaches. LGPD establishes a clear requirement for organizations to implement controls that protect individuals’ personal data, with the end goal of reducing the impact of breaches on individuals.
In addition to introducing privacy regulations, the LGPD also established a separate national authority, the Autoridade Nacional de Proteção de Dados (ANPD or National Data Protection Authority in English), which is responsible for enforcing the law, including issuing penalties and fines. The creation of the ANPD was originally vetoed by President Jair Bolsonaro but later reinstated via executive order in August of 2020.
LGPD applies to any organization (or individual) regardless of size, industry, public or private status, or country of residence.
Any legal entity or natural person processing data collected from persons in Brazil (“data controller”) is subject to LGPD if:
- The data collected/processed is about people in Brazil.
- The processing is carried out inside Brazil; or
- The processing is for the purposes of offering and selling goods or services to individuals in Brazil.
- The processing is of personal data collected within Brazil.