The new postponement of LGPD was rejected by the Senate. LGPD will therefore become enforceable as of President Bolsonaro’s sanction/veto of PLV n. 34/2020, which must happen in up to 15 business days. Administrative sanctions remain suspended and will only be applicable from August, 2021.
Yesterday, in the digital session of August, 26, 2020, the Brazilian Senate confirmed that Brazil’s General Data Protection Law (Federal Law n. 13.709/2018 – LGPD) will come into effect concurrently with President Bolsonaro’s sanction to PLV n. 34/2020. This means that the LGPD will come into force sometime within the next 15 business days.
In order to assist you to better understand what this means, we prepared answers to a few FAQs on the matter:
We recommend that companies take two steps to ensure compliance with the LGPD:
(i) Data mapping – companies should initially investigate which personal data they hold (which has been collected in Brazil) so they can properly assess how such information is used; then
The compliance procedure will be very similar to the one described above. The difference is that we work with our clients to understand how to establish strategic procedures based on the company’s concerns and business model, also considering the costs and time available for compliance.
Administrative penalties for failure to comply with the LGPD will remain suspended and may only be applied from August 2021. Amongst these are pecuniary sanctions (up to R$50 million per infringement) and non-pecuniary sanctions (warnings, obligation to publicize the infringement and obligation to delete personal data).
No. Although the administrative sanctions will not be applicable until next year, as of the LGPD’s entry into force, users can enforce compliance with the new law and ensure their rights are protected. Additionally, failure to comply with users’ rights and other infringements may result in legal procedures against the company.
Yes, today Executive Decree n. 10.474 of 2020 was issued establishing the internal structure of the National Data Protection Authority – ANPD. ANPD will be an administrative body that will have amongst its functions the duty to verify compliance with the LGPD and to issue recommendations and regulations connected to the law. This Decree is an important step to ensure that ANPD may be functioning at least by the end of this year.
The Technology and Data Protection Team of Dias Carneiro is following-up the developments of the matter and is available for any clarifications.