After much debate, the Brazilian General Data Protection Legislation (Lei Geral de Proteção de Dados -“LGPD”) finally enters into force today.
Personal data can only be collected and processed when the processing operation is in compliance with LGPD’s principles. In brief, personal data can only be processed when such information is necessary and proportional for a legitimate purpose, which must be informed to the data subjects.
Also, data processing operations must be justified by one of the legal basis provided by LGPD.
Yes, data subjects, including clients (if your business model is B2C), employees, contractors and third parties in general now have new rights that can be exercised against data processing agents.
Amongst others, the right to confirm whether or not a processing operation is being carried out; the right to access, deletion, anonymisation of personal data, as well as the right to revoke consent.
Administrative penalties for failure to comply with the LGPD will remain suspended and may only be applied from August 2021. Amongst these are pecuniary sanctions (up to R$50 million per infringement) and non-pecuniary sanctions (warnings, obligation to publicize the infringement and obligation to delete personal data).
No. Although the administrative sanctions will not be applicable until next year, as of today, data subjects can enforce compliance with the new law and ensure their rights are protected. Additionally, failure to comply with users’ rights and other infringements may result in legal procedures against the company.
The Technology and Data Protection Team of Dias Carneiro is available to assist you with this new challenge.