What is the LGPD?
The LGPD is the Brazil General Data Protection Law (Lei Geral de Proteção de Dados), to be effective February 2020.
It applies to Brazil companies and also to companies outside of Brazil that process personal data of Brazilians.
The LGPD takes a risk-based approach, setting out a core principles for data processing – fairness, lawfulness, non-discrimination, accountability, transparency on use, purpose limitation, accuracy, data minimization, security, integrity, confidentiality, and storage limitation.
Individuals are provided access rights, including data portability, erasure, data access (with a short, 15 day timeline).
The LGPD introduces ten bases for lawful processing of data. Both controller and processor are obliged to maintain data processing records and conduct privacy impact analysis where high risk to personal data is involved.
Data controllers are obliged to notify the Brazil national data protection authority and to the affected individuals of personal data breaches. All, data controllers (no matter the size) need to appoint data protection officials for oversight and response to data subject requests.
International transfers of data are permitted where the recipient country is deemed to provide an adequate level of data protection, or where using standard contractual clauses.
Non-compliance with the LGPD could result in fines amounting to 2% of gross sales (of company or group of companies), or a maximum of fifty million reais (about $12.9 milion US dollars) per infringement.
Lei Geral de Proteção de Dados